Know Your Customer Procedures and Checklist

Know Your Customer procedures and checklist are necessary to help businesses validate the identities of their customers, be aware of the sources of their funds, keep track of their transactions, and report suspicious activities in a fast, effective, and wasteless manner. The main idea behind the KYC process is to properly manage customer lifecycle including identification during customer onboarding and take the appropriate actions to prevent money laundering, terrorism financing, and related crimes. A documented Know Your Customer procedures and checklist will reduce business risk and exposure to regulatory fines imposed by financial crime enforcement agencies against companies that fail to implement KYC policies and Customer Identification Program (CIP). Documented KYC procedures are mandatory for a vast number of financial businesses dealing with mass transactions, especially banks.

Know Your Customer (KYC) procedures and checklist

Know Your Customer Requirements and Compliance


Know Your Customer (KYC) is a process of identifying and verifying the identity of clients who open accounts with financial institutions. The goal of KYC is to prevent the illegal use of the financial system for money laundering or terrorist financing purposes.
The KYC requirements are set by regulations in most countries, notably by the Financial Action Task Force (FATF) which is an intergovernmental global body that develops and promotes policies to protect the global financial system against money laundering, terrorist financing, and other related threats.


To support Know Your Customers (KYC) compliance, businesses must provide their customers with specific information about their business and what they do, to get client agreement for how they will use their personal information, and how they will protect client data.

Who Should Comply with KYC Requirements?


In general, all companies that have clients engaged in financial transactions are subject to KYC compliance. However, not all of them need to ensure KYC compliance in the same way or detail. Banking, insurance, lending, and similar financial institutions will be obliged under law to apply more detailed compliance procedures than other types of financial or non-financial services providers.
KYC compliance criteria may be different by:


• The location of your company (headquarter)
• The market you serve (B2C or B2B)

Why is KYC Compliance Important?


It is critically important to comply with KYC regulations and requirements because a failure of doing so may result in heavy fines or, even worse; closure of your company. You might also end up being responsible for supporting money laundering or terrorist financing crimes if you neglect proper risk management. Compliance with the KYC procedures will protect your business from facing non-compliance charges from government regulators.

KYC Non-Compliance Fines and Penalties

Non-compliance with KYC is subject to fines and penalties based on specific violation criteria and the country in which your business operates. In general, it will be around $5000–$10,000 for each document not properly checked plus additional fines if money laundering or terrorism financing is involved which can be categorized as financial crime and lead to jail time.

The Identity Theft Factor

Every year, identity theft is becoming more prevalent and sophisticated. An identity theft victim spends countless number of hours trying to resolve issues that arise after an identity has been stolen. And businesses spend wasteful hours to investigate identity theft cases and attempt to collect stolen funds and reduce their allowance for identity theft losses.
TransUnion estimates that over half of unauthorized activity occurs in the first 30 days after a breach, while financial institutions are still attempting to verify whether or not identity theft was involved.

No matter how big or small your company may be, you must have proper KYC procedures in place for checking customers’ identities and backgrounds to remain compliant with regulations while your business continues to grow and build trust with clients.

Know Your Customer Procedures

There are generally two steps in KYC compliance:

  1. Collecting and verifying your customer’s identification information.
  2. Monitoring transactions to detect and report suspicious activities.

The following is an example of KYC procedures that may guide you when developing KYC processes for your business according to your company’s needs.

  • All customers (new and existing) must be identified with full name, address, date of birth, occupation, nationality, etc.
  • Name matching using various directories available with alternative methods like telephone calls or e-mails to validate identity.
  • Corporate customers’ organizational charts and backgrounds can be used to identify senior management, owners, or shareholders.
  • For the companies involved in high-risk activities such as casinos, front companies, financial institutions, etc., additional due diligence may be required.
  • All documents must be collected and checked by qualified staff.
  • A proper procedure should exist for updating and maintaining KYC records (checklists and forms).
  • Regular training sessions should be held to inform all employees about any changes in procedures and legislation surrounding KYC compliance.
  • A privacy awareness program should be implemented to show how company data is handled to protect customer privacy as required by various laws such as GDPR.

Know Your Customer Checklist

The following list may be used to create a checklist as part of a comprehensive know your customer program:

  • Identify your customers and types of identification information they need to provide.
  • Determine techniques and systems to help verify client identity including official identification documents and databases.
  • Know where your customer comes from, review the risk associated with this place/region before opening an account, and assess the regional legal requirements. For instance, some countries prohibit using services provided by international companies (i.e., VPN). In such cases, you can’t accept any new customers coming from these channels unless they use an address located out of that region.
  • Track your business relationships and continuously assess the risks associated with new customer onboarding and existing customer tracking.
  • Know the purpose of your customer activities and their source of funds to exclude them from being involved in money laundering or other criminal activities.
  • Keep a record for customer onboarding, tracking, and reporting. Keep a history of all events to ensure everything is documented correctly and protected legally. It may be required later as evidence against potential claims by law enforcement agencies or other parties.
  • Identify the red flags for suspicious activities and determine follow up steps when a customer meets the criteria, so your staff know how to proceed (i.e., asking for additional supporting documentation).
  • Implement a KYC policy and procedures, make sure the employees know how to implement this policy and follow the necessary steps to avoid mistakes.

Conclusion

In conclusion, Know Your Customer (KYC) is not just about compliance with customer identity verification and documentation. Regulatory compliance may be the main reason behind an effective Know Your Customer procedures and checklist, however, preventing identity theft, reducing criminal activities, and minimizing the risk of terrorism are secondary objectives for businesses. Once specific KYC procedures and checklist are developed for your business needs, employees must be trained to learn how to properly follow the policies and procedures that you have established for them in order to enforce the KYC rules and avoid violations of company policies which can lead to potential legal problems in the future from law enforcement agencies.

Identity and access management certifications

Global Cybersecurity Expert Shortages

It is estimated that there will be global cybersecurity expert shortages in the coming years. Millions of cybersecurity jobs will remain unfilled placing many organizations at risk. When it comes to cybersecurity staffing, companies may promote qualified employees from within their organizations or outsource some cybersecurity services to vendors after careful consideration of the risks. Cybersecurity outsourcing may make sense in some instances when niche security expertise is required in some areas or when simple routine tasks may not be worth the cost and effort of internal staff management.

There is a cybersecurity expert shortage of 1.5 million in 2020

Identity and Access Management in Modern Cybersecurity

Cybersecurity is the buzz name for network and system security which has existed for many years. However, due to the increasing connectivity of many devices and networks, cloud services, and remote workforce as a whole, the computer security risk landscape is expanding and is frequently referred to as cybersecurity.

One of the main objectives of cybersecurity is to protect data but high impact and frequent data breach incidents have increasingly challenged the cybersecurity community. There are hundreds of data breach incidents annually which are mostly caused by poor identity and access management processes. The majority of cyber attacks are caused by employee error who unwittingly give away their access information to hackers when they become victims of hackers’ phishing scams.

The computer security risks will continue to evolve as we change the way we use technology. For example, the increase in the number of connected portable devices, widespread proliferation of personal data, Bring Your Own Device (BYOD) policies of companies which allow employees to use their personal phones and devices for business purposes to save cost, as well as remote working and cloud storage or computing will continue to introduce new risks.

To better understand the cybersecurity risks, let’s first imagine how our world is evolving. Although we may not all immediately agree on the details of the cybersecurity evolution, we can all generally agree that the arrival of smart and self-driving cars, self-improving robots, artificial or augmented intelligence such as IBM Watson, and multitude of connected devices also called the Internet of Things (IoT) is inevitable.

Drones are already here in limited numbers and used for delivery, farming, and imaging. But drone capabilities and numbers are expected to grow. FAA predicts that drones will be a $90 billion industry within a decade. And Gartner estimates there are 6.4 billion Connected “Things” today which are expected to grow to 21 billion in 2020 out of which over 13 billion will be household devices used by consumers.

According to Henry Bagdasarian, Founder of Identity Management Institute “connected and smart devices which are also embedded in cars and household appliances will perform many tasks on our behalf; share information, make payments, and carry a ton of data thanks to the ever increasing data storage capacities of devices and decreasing costs. Data privacy and security risks will continue to be of utmost concerns, especially, the definition of identity theft will be expanded to include device identity takeover by another device. Proper management of device identity, security, connectivity to other devices, access, data sharing, and authorization to perform tasks will be crucial in the new tech world.”

Private and public sectors must work together to promote the cybersecurity profession and address the global cybersecurity expert shortages. IMI has published a cybersecurity career guide to guide and encourage IT professionals and students to join the cybersecurity industry.

Identity and access management certifications

Avoiding Card Skimming Fraud

There are ways for avoiding card skimming fraud which is a form of credit or debit card fraud whereby card magnetic stripe data and possibly the associated PIN are stolen from victims to make unauthorized purchases online and over the phone or to create counterfeit cards to purchase items in person. In most cases, this is done by using an electronic device that reads the magnetic strip on the back of the credit card when the card is inserted in the card reader at gas stations, ATM and elsewhere. The card information such as card owner name, card number, and expiration date is captured by hackers at bank ATMs and gas pumps, for example, who have attached a hidden card skimmer to the card reader as well as a hidden camera to record PINs as they are entered into a keypad at a bank ATM or gas station.

Ways for Avoiding Card Skimming fraud

Card Skimming Case


Some Costco shoppers were notified in early November 2021 to look out for possible sign of credit card fraud. The fraud notification warned the customers about potential card skimming scams that have affected approximately 500 Costco customers who had used their cards for purchases in four Chicago warehouses around the affected period. The skimming devices were discovered by Costco employees during a routine check in August 2021. The skimming devices apparently stole card information such as CVV codes, cardholder name, card number, and card expiration date.

Card Skimming Technology


Card skimmers come in various forms, from relatively simple devices that steal data from card swipes to more complex ones that generate counterfeit cards with the actual data stolen from the magnetic strip of the original card. Some card skimmers are placed inside real PIN pad devices at banks and retail stores alike. Other times, card skimmers are usually placed over the real card slot on automated teller machines (ATMs) or gas pumps. They often come with a tiny hidden camera to record PINs as they are entered in the PIN pads so not only scammers can make purchases but also withdraw money from the accounts with the stolen PIN.

Card Skimming Fraud Stats


According to a recent Aite Group report, 68 percent of business executives consider ATM skimming to be a serious concern. Some of this form of fraud should diminish if EMV (Europay, MasterCard, and Visa) cards are issued and ATMs are upgraded to allow EMV chip transactions. However, scammers seem to eventually work around new technology. Other parts of the world where EMV smart chip was implemented several years ago have faced substantial challenges that have not yet been focused at the US market. As the United States transitions to EMV-compliant ATMs and fraudsters develop new tactics, financial institutions expect cybercrime to overtake skimming as the most serious threat to ATM security.

Where is Card Skimming Scam Most Probable?


Statistics show that gas stations are targeted by scammers more often than any other business type due to the number of card transactions they handle daily for gas payments and other purchases as well as ease of installation of skimming devices and cameras around gas pumps and ATMs with possible collusion with gas station employees.

Avoiding Card Skimming Fraud – Businesses


Businesses that handle credit cards are required by law to adopt security procedures that include training employees on proper payment handling procedures when customers pay with cards. It is essential for employees to immediately report any suspicious activity related to ATM or credit card transactions. The lesson from the Costco incident is to have strict security around card readers and PIN pads. Only approved staff should be able to handle devices to prevent the installation of unauthorized devices and software. Cameras should also be placed in areas where card transactions occur such as gas pumps, and isolated ATMs to avoid the installation of unauthorized devices.

Avoiding Card Skimming Fraud – Cardholders


Here are some helpful tips to avoid credit card skimming:

  • Be suspicious of ATMs that look odd.
  • Avoid using ATMs in secluded areas. If you must use an ATM that isn’t located inside a bank or a typically secure area, look for cameras that might be hidden nearby to capture PINs.
  • Cover you hand when entering PINs.
  • Avoid entering PINs or inserting the card multiple times due to malfunction as this may be a trick to fully capture all data.
  • When paying at a gas station, try inserting your credit card into the machine instead of swiping it through to pay for gasoline or other items.
  • Use pump closest to store and well-lit area to ensure their employees and hopefully installed cameras have prevented unauthorized device installation.
  • Use credit instead of debit to avoid entering the PIN.
  • Use chip card reader instead of swiping as it presents less risk.
  • Consider other payment options such as mobile pay or digital wallet when possible.  
  • Call your bank immediately if you think your credit card may have been compromised after visiting certain businesses. Let them know which businesses you did or did not frequent so they can take steps for protecting your account.
  • Pay attention to the possible fraud notifications you receive from businesses such as in the case of Costco to contact your bank or card company.
Certified Identity Protection Advisor (CIPA) consumer identity theft certification
Become a Certified Identity Protection Advisor (CIPA)

Identity and Access Management Protocols

Identity and Access Management protocols are designed specifically for the transfer of authentication information and consist of a series of messages in a preset sequence designed to protect data as it travels through networks or between servers. By using third-party authentication, IAM protocols eliminate the necessity of storing login credentials within the system for which they’re used, providing a solution for organizations and institutions seeking to prevent the misuse or abuse of login credentials and reduce the risk of data breaches.

Identity and access management protocols

 

Breakdown of Identity and Access Management Protocols

Ensuring data confidentiality and integrity is critical in an era where many organizations rely on cloud services, Internet of Things (IoT) connectivity, Artificial Intelligence (AI) and machine learning. Users must be properly identified, authenticated and authorized to access data and applications without compromising the security of login credentials.

Common identity management standards handle user requests for access to data or applications and deliver responses based on the information a user provides. If the format of the information, such as a password or biometric identifier, is correct, the protocol allows the level of access assigned to the user within the system.

Several IAM protocols exist to support strong IAM policies by securing data and ensuring its integrity during transfer. Generally known as “Authentication, Authorization, Accounting” or AAA, these identity management protocols provide standards for security to simplify access management, aid in compliance, and create a uniform system for handling interactions between users and systems.

LDAP

The Lightweight Directory Access Protocol (LDAP) is an open-source protocol not associated with any specific vendor, although it does provide the basis for Microsoft’s Active Directory. LDAP was established as an industry standard in the 1990s and is among the oldest identity and access management protocols. It runs above the TCP/IP stack and is most often used in modern organizations as a tool to handle authentication for on-premise applications.

As the name suggests, LDAP is associated with directory access. When a user wants to connect to a directory, search its contents or modify the directory itself, LDAP relays the information necessary for authentication and subsequent authorization. The protocol is flexible and can be customized to the needs of systems to make locating and interacting with resources on a network easier and more secure.

SAML

The Security Assertion Markup Language (SAML) protocol is most often used in systems employing the Single Sign-On (SSO) method of access control. In SSO, one set of credentials allows users to access multiple applications. This method is most beneficial when users must move between applications during sessions. Instead of requiring individual logins for each application, SSO makes use of data already authenticated for the session to streamline the switch between applications. The resulting increase in efficiency helps prevent bottlenecks in the authorization process.

SAML is an open standard, making it available to any organization. However, it can’t be used to authenticate or authorize device connections and isn’t popular for supporting access to internal applications. This effectively limits the protocol to third-party applications, such as the cloud tools used by most modern businesses. As Software-as-a-Service (SaaS) continues to grow in popularity, SAML is an integral part of corporate IAM.

OpenID

Like SAML, OpenID is used for web applications and can be seen in practice when interacting with products from Google and Yahoo! Implementation of this protocol is less complicated than implementation of SAML, making it more accessible for a variety of applications.

Part of the benefit of OpenID for consumer applications is the ability for users to maintain a consistent identity across platforms. It supports the use of a single identifier and password to connect with every service a user is authorized to access. In a web environment, this means the user’s avatar and profile remain the same between services. This makes users easier to recognize and preserves the continuity sought by those working to become influencers and thought leaders.

Businesses are beginning to make use of OpenID in cloud applications to leverage the benefit it offers in terms of efficiency. It provides the same advantage as SAML in its ability to streamline workflows involving multiple applications and helps to maintain the integrity of individual user identities within complex systems.

OAuth

Large customer-facing platforms like Facebook, Google and Twitter rely on OAuth to connect third-party applications with the permission of users. OAuth works by allowing approved applications to use login credentials from one service or platform to provide access to additional applications without requiring separate logins. Authorization may be granted or revoked by the user at any time.

When credentials are sent using this protocol, OAuth works to authenticate the identity of the initial user and authorize connections between applications. This type of authorization is known as “secure, third-party, user-agent, delegated” authorization and doesn’t require the initial credentials to be transferred between applications in order for a user to gain access.

OAuth is similar to OpenID in its applications and has some of the same functionality as SAML. Because it grants access without creating another point at which access credentials can be compromised, OAuth can benefit organizations using or building applications for which such extended access is required.

Kerberos

This free open protocol was developed at the Massachusetts Institute of Technology (MIT) and uses a system of tickets and authenticators to verify user identities. Kerberos isn’t in wide usage except by Microsoft Windows applications, in which is aids in the automatic sign-in process for Microsoft products and resources.

In systems using Kerberos, a “Kerberos realm” is created to encapsulate all the resources to which a user may request access. This realm also houses the Key Distribution Center (KDC), in which resides the authentication server (AS) and the ticket granting server (TGS). When authentication credentials are provided using the SSO method, it triggers a series of actions in which the user’s information is located, encrypted keys are sent back and forth between the user and the server and, if the access credentials are correct, a ticket is granted for the session. In this client-server identification scenario, information is verified back and forth between the user and the system to establish authenticity of credentials and proof of identity.

The benefit of this complex system of servers, keys and tickets is the user’s password doesn’t have to be stored on a local server or sent over the network connection. Instead, the entire process is handled within the Kerberos realm. This makes Kerberos identity management protocols particularly useful for the transfer of information over non-secure networks. Keys and tickets provide security for authorization data, thereby protecting credentials from hackers.

RADIUS

Once used to authenticate users on dialup connections, the Remote Authentication Dial-In User Service (RADIUS) is now employed mostly for network services, such as wireless connections, VPNs and network infrastructure.

RADIUS works by encrypting authentication credentials within a packet and is sometimes used with a LDAP server to increase the level of security and provide a greater degree of access control. RADIUS is best suited for applications requiring general authorization, but due to shortcomings in the protocol, it has largely been replaced by updated AAA standards.

When RADIUS was in common use, it functioned to store user profiles in a central database, allowing remote servers to share the information and organizations to implement improved security measures by housing all user data in one place.

Diameter

Named as a bit of a play on words, Diameter evolved out of RADIUS and is now replacing the older protocol with a message-based authentication system. Diameter works over TCP and Stream Control Transmission Protocol (SCTP) to exchange positive and negative messages between the user and the system, resulting in access being granted to authorized users and denied those without proper credentials.

Diameter is built on peer-to-peer architecture and functions using three nodes:

  • The client node receives access requests from users
  • The server node is responsible for processing information from access requests
  • The agent node acts as an intermediary between the client and the server

This protocol improves upon RADIUS by allowing more dynamic rules for handling authentication, increased security for message exchanges and better control over the details of access control policies. Encryption prevents packets of information from being intercepted and decoded, and improved service quality ensures all packets are exchanged instead of some being dropped as can occur with RADIUS.

SCIM

With many businesses relying heavily on SaaS for information exchange, collaboration and customer service tasks, it’s essential to have a protocol with the ability to support dynamic shifts in access requirements. The System for Cross-domain Identity Management (SCIM) protocol fills this role as an open standard capable of automating the exchange of identification data from one IT system to another.

SCIM makes lifecycle management easier by giving organizations the power to automatically provision or deprovision users as they come into or leave a system. By sharing attribute information, SCIM is able to aid in the management of user permissions and maintain unity in data.

Failing to revoke access once a user no longer requires entry into a system leaves the system vulnerable to insider and third-party threats. Organizations adopting SCIM as part of an access management strategy can greatly reduce the risk posed by accounts belonging to former users by ensuring users leaving the system are unable to log in after they no longer require access.

TACACS

Unlike most other common identity and access management standards, the Terminal Access Controller Access Control System (TACACS) is owned by Cisco. It was originally developed for the U.S. Department of Defense as a protocol to simplify the process of authentication and authorization so that users could move between machines within a complex infrastructure without the need for multiple logins.

Using TCP, user credentials are sent from a remote access server to a central authentication server to complete the authentication process. Authentication packets are fully encrypted to protect the information as it travels between devices and servers.

TACACS has since been updated to TACACS+ and is among the most popular AAA protocols. Most commonly used in UNIX networks, TACACS provides large organizations with granular control over command authorization. This supports the level of security necessary to protect sensitive, confidential and classified information from being accessed by unauthorized users.

Blockchain

The blockchain is often associated with cryptocurrency such as Bitcoin, but this unique “digital record” also has powerful applications for IAM security. It consists of “blocks” of information containing details about users; their identifying attributes, what they can access and what they own. Unlike databases handled by an administrator or organization, the blockchain has no single owner and operates more like a network of multiple databases, each a replica of the other. Information within the databases is synchronized for uniformity and can be accessed by users within a particular blockchain network.

Using the blockchain for authentication could change the way users interact with systems and the framework on which organizations base their access control policies. Since blockchain networks eliminate the need for intermediary gateways or software, using the technology for authentication not only reduces costs but also increases security. Intermediaries are no longer necessary due to the availability of information to trusted parties in blockchain networks, and no information found in the blockchain need ever be stored on a traditional server. Instead, identification attributes and login credentials are hashed and stored in the blockchain and can be accessed directly as the basis for authorization.

Because each of these identity and access management standards has different applications, IAM professionals must work with organizations and institutions to implement appropriate protocols to ensure data security.

Standards have been updated in the past to address changes in technology and the new vulnerabilities presented by an increased influx of data. As the IoT, AI and machine learning all evolve, protocols will continue to change. Timely updates will keep systems secure and continue to provide the protection necessary for integrity of credentials and the security of sensitive data. Maintaining security standards ensures compliance with regulations and allows systems to continue operating without unauthorized interference.

Identity and access management certifications

Identity and Access Management Standards

Identity and access management standards are critical for ensuring system security, data confidentiality and integrity in an era where many organizations rely on cloud services, Internet of Things (IoT) connectivity, Artificial Intelligence (AI) and machine learning. Users must be properly identified, authenticated and authorized to access data and applications without compromising the security of login credentials.

Identity and access management standards and protocols

Identity and Access Management (IAM) protocols are designed specifically for the transfer of authentication information and consist of a series of messages in a preset sequence designed to protect data as it travels through networks or between servers. By using third-party authentication, identity management protocols eliminate the necessity of storing login credentials within the system for which they’re used, providing a solution for organizations and institutions seeking to prevent the misuse or abuse of login credentials and reduce the risk of data breaches.

Breakdown of Identity and Access Management Standards and Protocols

Common identity management protocols handle user requests for access to data or applications and deliver responses based on the information a user provides. If the format of the information, such as a password or biometric identifier, is correct, the protocol allows the level of access assigned to the user within the system.

Several protocols exist to support strong IAM policies by securing data and ensuring its integrity during transfer. Generally known as “Authentication, Authorization, Accounting,” or AAA, these identity management protocols provide standards for security to simplify access management, aid in compliance, and create a uniform system for handling interactions between users and systems.

Because each of these identity and access management standards has different applications, IAM professionals must implement appropriate IAM standards to ensure system and data security.

IAM standards continue to be updated to address changes in technology and the new vulnerabilities presented by an increased influx of data. As the IoT, AI and machine learning all evolve, IAM protocols will continue to change. Timely updates will keep systems secure and continue to provide the protection necessary for integrity of credentials and the security of sensitive data. Maintaining security standards ensures compliance with regulations and allows systems to continue operating without unauthorized interference.

The Certified Identity and Access Manager (CIAM) program covers the details of identity and access management standards and protocols.

Customer Identification Program Checklist

A customer identification program checklist is an essential tool that identity management experts, compliance officers, AML specialists, and other professionals can use to complete various CIP tasks in order to create and manage a Customer Identification Program (CIP). In most countries, financial institutions must implement customer identification procedures for verifying the identity of their customers when opening accounts. A CIP checklist can help prevent violations of the USA Patriot Act of 2001, Anti-Money Laundering Act, and Bank Secrecy Act (BSA), as well as hefty fines and penalties for noncompliance.

Customer Identification Program (CIP) Checklist

What is Customer Identification Program (CIP)?

Customer identification program (CIP) requirements were introduced in 2003 as part of the USA Patriot Act provision which require identity verification for all customers who open accounts to enter into financial transactions. CIP which is commonly referred to as Know Your Customer (KYC) was primarily introduced for tracking money laundering and terrorist funding activities and financial transactions and requires financial institutions to develop a program for customer identity verification and incorporate the process into the Anti-Money Laundering and Bank Secrecy Act (BSA) compliance programs. The extent of the CIP may be in proportion to the type and size of the organization which must comply with the provision.

Who is Considered a “Customer”?

A “customer” under the CIP rule is a person who opens a new account at a financial institution. Other persons of interest who qualify as customers include:

  • Co-owners of existing deposit accounts.
  • Substituted borrowers for original borrowers through assumption loans.
  • Persons with power of attorney if account holders are legally incapacitated.

The Customer Identification Program rule doesn’t apply to applicants who are denied an account. It only applies when the bank enters into a loan agreement or opens an account, after verifying an applicant’s identity. An identity verification is comprised of a set of standards, referred to as Know Your Customer (KYC). Each organization within the the financial services and investment industry uses its own criteria for verifying customers who apply for accounts or services.

CIP Compliance Requirements

As part of a customer identification program, institutions must assess the risk associated with each account based on the type of accounts, methods used for opening accounts, identifying information used in the process, as well as the size and nature of the organization. CIP program is not meant to be a “one size fits all” type of program.

Financial institutions may consider the following when instituting a CIP:

  • Internal controls, policies, and procedures.
  • A designated compliance officer.
  • Continuous training program for the employees.
  • Independent auditing for testing the program.

Established procedures for opening an account include:

  • Identity verification of any individual opening an account.
  • Record maintenance of information used to verify the person’s identity, such as the name, address, and other information to prove identity.
  • Verification of an individual listed as a known or suspected terrorist or linked to an extremist organization per government listings.

Written CIPs must address procedures for:

  • Verifying new customer identity.
  • Creating and maintaining verification records.
  • Ensuring exclusion of new customers from terrorist or extremist organization lists maintained by the government.
  • Providing customers with notification that the financial institution is requesting information to verify their identities.

Who Must Comply with CIP Requirements?

  • Financial institutions
  • Banks
  • Credit Unions
  • Trust companies
  • Investment and lending firms
  • Insurance companies

How is CIP Related to Anti Money Laundering Laws?

CIP is strongly related to anti-money laundering laws and is required to be included in the AML compliance program. Banks and other financial institutions are required to have a written Customer Identification Program implemented based on their size and type.

General Procedures of an Effective Customer Identification

Companies need to hire a professional compliance officer and/or AML specialist to constantly monitor both their CIP and anti-money laundering programs. If entities fail to comply, they could face criminal charges along with fines and penalties.

General procedures of an effective customer identification program include risk-based assessment for customer identity verification. An efficient customer identification must include procedures for:

  • verifying customers’ identities
  • identifying required information
  • verifying information and documentations
  • recordkeeping
  • comparing governmental listings
  • providing adequate notice
  • establishing exemption criteria
  • examining/assessing the CIP processes
  • auditing and testing

CIP Violation Fines and Penalties

Financial institutions that willfully violates the CIP rules may be fined $250,000 and serve five years in prison. The harshest punishment for a BSA violations and related laws can include fines and penalties up to $500,000 and/or a 10-year prison sentence.

Customer Identification Program Checklist

To ensure CIP compliance and the customer identification process is completed properly, the following customer identification program checklist may be considered which includes the activities and tasks requiring yes or no responses. Each staff member, such as the account rep, AML specialist, and compliance officer must who complete CIP tasks can use the following CIP checklist items to ensure they follow the customer identification program requirements.

  • Notified anti-money laundering staff of a new client or customer.
  • Reviewed information provided by account representatives about the new client/customer.
  • Created profile for the customer to track the new account opening process.
  • Determined the KYC documents required for verifying the identity.
  • Notified account reps of AML documentation and information needed from the customer.
  • Account reps contacted and requested documents and information.
  • New customer provided documents/information.
  • Account reps sent required documentation and information to AML Compliance Officer or AML Specialist.
  • AML professional received the documents and information.
  • AML Specialist reviewed documents.
  • Validated the identity of the new customer using approved verification methods.
  • Completed review of customer identity.
  • Conducted screening for sanctions per Office of Foreign Assets Control (OFAC).
  • Identified potential matches of the sanctions screening.
  • Investigated possible matches for validation.
  • Prepared escalation documents for potential matches.
  • Reported escalation documentations to the Chief AML Compliance Officer.
  • AML Compliance Officer reviewed escalation document.
  • Approval or rejection of high-risk client by Compliance Officer.
  • Performed other customer due diligence.
  • Assigned client risk rating.
  • Recorded results of risk rating.
  • Opened account for customer based on acceptable risk.


AML compliance officers and other AML professionals create their own checklists based on the type of financial institution they are working for and product offerings. Companies and banks in the financial industry that need additional CIP compliance information can visit reliable sources such as FinCEN and other government agencies.

Final Thoughts

To meet their customer identification compliance needs, organizations are advised to hire qualified identity management compliance professionals to avoid unnecessary penalties and fines for CIP non-compliance of BSA and AML requirements. Use the information in this CIP checklist as guidance when implementing an appropriate CIP compliance program. Learn more about customer identification and verification methods.

Identity and access management certifications

Casino Customer Identity Verification and Tracking

Casino customer identity verification and tracking presents many challenges as well as opportunities for improvement. While casinos are not required to have a Customer Identification Program (CIP), they must address money-laundering and tax reporting beyond certain transaction amounts with a proper method of identity verification and gaming activity reporting. The casinos also like to track player activity for their players club and loyalty reward programs, however, the current player tracking with a conventional players card is not efficient as we will discuss in this article.

Casino Customer Identity Verification and Tracking

Casino Customer Identity Verification and Tracking – The Problem

Casinos encourage their customers to enroll in their players card program to receive rewards for time and money they spend in their casinos. This strategy is a win-win for both the casinos and their customers. When players identify themselves with their players card at the slot machines or table games, casinos are able to track how much time and money they spend during their visit so their marketing team can target valuable players and bring them back. Players also receive rewards for allowing casinos to track their gaming activities. One of the problems with anti money laundering compliance and KYC in the gaming industry is that this is currently a voluntary process and players don’t have to use players card when playing games. Another problem is that customers who would like to enroll in a players reward program must often stand in long lines to enroll or even to request a new card if they are enrolled but forgot to bring it to the casino. This process is flawed as customers spending time in lines to speak with a host is lost revenue for the casinos as players can play instead of standing in lines. Secondly, casinos spend huge amount of money on staff and equipment to print the players cards. Face recognition technology is widely available and can help casinos identify and track all players efficiently at all times. Let’s discuss a recent regulatory change related to casino customer identity verification and tracking and then face recognition opportunity.

The New FinCEN Rule for Casinos: Non-Documentary Identification

The US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has issued an “exception rule” to casinos that will allow casinos and clubs to rely on ‘non-documentary identification verification’ for casino customers. The new rule took effect in October 2021, and provides regulatory relief called “exceptive relief” which some consider to be an essential step in the right direction for casinos and their customers.


The casinos can identify their customers via various methods such as examining a document like an unexpired driver’s license, passport, or another government-issued identification card, including a military ID. The casinos can also rely on ‘non-documentary means’ such as leveraging personal data verification systems. In the past, FinCEN had provided relief from these regulations to allow financial institutions to obtain and retain information from various sources to verify customer identities without requiring source documents for customers who opened accounts under $500 million in the average daily balance of funds held during each business day over a period of six months.


The new rule provides guidance around acceptable documentation that casinos must retain about their customers when they do not require an individual’s address, and validation of supplemental information with commercially available databases maintained by private companies for these purposes.


The FinCEN provides this regulatory relief to casinos and their customers to help combat money laundering activities that are believed to be occurring within the casino industry. While there is no evidence that documented transactions have been linked directly with criminal activity, this was a necessary step identified in the due diligence made by FinCEN’s new leadership.


The new rule would provide a great deal of relief to casinos and their customers. It will give them the flexibility to continue being proactive from a compliance standpoint while providing an opportunity for less burdensome regulatory requirements that can help save money, time, and resources. This applies only when dependable methods are used by casinos when trying to identify their customer base along with having an effective oversight program in place. With over 100 billion dollars worth of bets placed annually across 100 different US-based gaming facilities, there needs to be some degree of flexibility in identifying customers. This is what this new rule will provide, along with the proper guidance needed for casinos and their customers to comply.

Face Recognition and Artificial Intelligence (AI) for Activity Tracking


“Face recognition” is a fast-growing and widely used biometric authentication technology which can be used for casino customer identification, age verification, and players’ activity tracking at game tables and machines, allowing for player tracking across multiple casino properties without presenting players’ card identification or signing up for multiple rewards program each time they visit a casino to play. This will streamline the process to reduce cost and increase revenue for the casinos.


Artificial Intelligence (AI) is a computer science field that emphasizes the creation of intelligent machines capable of reasoning, learning, and solving problems independently. AI can be used in age verification process by using machine learning algorithms that allow computers to learn on their own without being programmed with specific rules/features, which would otherwise limit its capabilities when it comes to identifying individuals based on facial characteristics such as nose shape, eyes spacing, etc. just like humans do naturally when looking at another person’s face. In this case, instead of human processing power doing the work, we rely on AI to detect more accurate results under various conditions. This technology is already being used in airports, retail stores, and even concerts to detect potentially dangerous persons or objects that may threaten public safety.


AI with the power of big data behind it, can make it possible for casinos to better manage their risk profile and provide more opportunities for predictive analysis enhancements with advanced tools. This will lead to improved decision-making capabilities when looking at things like “who” should be targeted by marketing campaigns while also providing casino managers insights on what types of games/slot machines are most popular among various demographic groups based on age, gender, etc. Casino owners can feed this information into customer relationship management (CRM) systems, so dealers can provide more personalized experiences.


Additionally, using AI can help identify money laundering activities within the industry. This will help casino management and law enforcement agencies better identify suspicious activities and allow casinos to monitor and improve their compliance efforts or increase revenue.

Conclusion

In conclusion, the casino customer identity verification and tracking process can be automated and improved. The main problems with the current process is that not all customers are tracked at all times and the process of issuing players cards to customers who ask for it is not cost effective or efficient.

The benefits of using face recognition technology are twofold: automated identity and age verification at table games and slot machines, and, eliminating players card and tracking players across multiple casino properties with their consent at all times without presenting identification card or signing up for a rewards program each time they play. This will streamline the process, reduce the cost of printing cards, eliminate player time wasted in players’ card lines, thus increasing playtime and revenue generated by the casinos.

Blockchain Technology Will Solve Many Problems

In just a short period, blockchain technology will solve many of our problems that we have not been able to resolve in decades. Recent announcement from Facebook is just one example of blockchain adoption and how blockchain technology will change our lives in just a few years. Most people equate blockchain with crypto only and can not yet foresee how blockchain can be applied in many areas to improve the quality of our life.

How blockchain technology will solve many problems and change our world.
A Message from IMI President – October 2021

Facebook CEO, Mark Zuckerberg recently announced at the annual Connect conference that the company is changing its name to Meta and said, “From now on, we’re going to be the metaverse first, not Facebook first”. One of the beneficial characteristics of distributed blockchain technology is decentralization which can also be applied to identity and data management, however, while many platforms like Facebook are likely to adopt blockchain, it remains to be seen how centralized they will remain. Partially decentralized architecture may be the right option for some organizations and their platforms where decision making power about the network is not completely taken away from a central figure or authority. These are just some decisions that will need to be made as the technology is adopted.

How Blockchain Will Solve Many Problems

Although Facebook is late to the game as metaverse has been in development for many years by players such as Sandbox and Decentraland, it is just one example of how Blockchain technology is rapidly changing our personal and business world. The next 10 years will sure not look anything like the last decade. The blockchain technology will solve some of our biggest challenges that we have either not been able to solve for years or have partially solved with ineffective and inefficient processes such as in anti money laundering and financial disclosure laws. To illustrate how blockchain technology solves our problems and improves our world, various blockchain projects which are currently active are solving challenges around digital payment speed and cost, transaction automation with smart contracts, product authenticity validation and counterfeit detection, money laundering, product tracking and supply chain management, data management, and privacy just to name a few.

Whether we are talking about human identity or device and product identity, transaction data stored on public ledgers will offer immutable and transparent information about the nature and participants of the transactions. Blockchain offers other benefits such as enhanced security, decentralization, self-sovereign identity giving people control of their own data, distributed ledgers for transparency, faster settlement through smart contracts, and trustless consensus for transaction validation which means that even though millions of network nodes which validate transactions may not trust each other, they trust the algorithms that run the core network.

These are just a few examples of how our world will change shortly and the primary objective of the “global reset” may well be the introduction of global digital currencies to replace cash for financial transaction monitoring and control. I look forward to valuable advancements and use cases in the blockchain technology that serve humanity including solving some of our pressing challenges in cybersecurity, identity, and data management.

Henry Bagdasarian

Founder and President

Identity Management Institute

Ocean Protocol of Digital Data Economy

The Ocean Protocol of digital data economy is a blockchain-based protocol that aims to improve the digital data exchange through incentivizing contributions. Blockchain technology has opened new vistas for generating massive amounts of data with greater accuracy as well as spreading power to users rather than centralized authorities to increase control, safeguard data, preserve privacy, and improve financial fairness. An important aspect of this protocol is that it uses the OCEAN token or cryptocurrency as its financial incentive mechanism, bringing many features such as fairness, transparency & flexibility.

Ocean Protocol of New Digital Data Economy

The Ocean Protocol is built on the Ethereum platform and utilizes automated contracts, which are computer programs that execute automatically when certain conditions are met, to create rewards for contributors who provide data sets to the network. Contributors can also earn by curating datasets submitted by others to keep them up to date with the latest information. The Ocean Protocol helps in improving the digital data economy through incentivizing contributions by using five critical steps involved in blockchain technology.

This article will discuss how this new technology improves global economic efficiency and provides incentives for everyone to acquire and share data sets globally.

About the Ocean Protocol of Digital Data Economy

The Ocean Protocol is a decentralized network where data creators are compensated for their work. The protocol has received support from various organizations and allows people to monetize the information they produce by selling it on an open market in exchange for cryptocurrency tokens. Another key objective of the protocol is to bring together both consumers and providers of datasets to benefit each other through an efficient sharing mechanism. Ocean Protocol:

  • is built on the Ethereum platform leveraging blockchain to support decentralized data management.
  • utilizes smart contracts which are computer programs that automatically execute when certain programmed conditions are met.
  • is an open-source technology that provides incentives for everyone involved in the process of acquiring and sharing data.
  • incentivizes contributions to improve the digital data economy.
  • creates rewards for contributors who provide data sets to the network.
  • allows others an incentive to update with the latest information.
  • improves data access controls and security with fine-grained permissions.
  • allows data publishers to control access and use of their data.

New Digital Data Economy Incentives

One of the biggest problems with today’s data economy is that there are no incentives to share information, so it tends to concentrate in the hands of a few. Web3 data economy ensures that value generated is shared across the entire spectrum of players involved making it a more equitable, accurate and efficient process through a decentralized network where data creators are compensated for their work.

Data Access Control

The Ocean Protocol uses fine-grained permissions for access control. To access data resources, users need to redeem ERC20 datatokens and pass the access permission controls. To address access control challenges such as allowing only person access certain data or limit data access to just a handful of persons in a certain country, Ocean introduced market-level and asset-level fine-grained permissions. To control market-level permission, the network uses Role Based Access Control (RBAC). For asset-level permission, data consumers must have at least one credential in the “Allow” list which is managed by the controller in addition to the token since just presenting datatoken would present an access risk.

Conclusion

The Ocean Protocol can create a new data economy that will benefit all stakeholders in an open & transparent manner. It ensures that value generated is shared across the entire spectrum of players involved making it a more equitable, accurate and efficient process.

It also allows people to monetize their information by selling it on an open market. Contributors can find relevant data sets based on specific criteria, which will help them advance scientific discovery & develop new products/services more efficiently.

This project can help improve the digital data economy by efficiently incentivizing contributions with tokens or cryptocurrency as its financial incentive mechanism. This will bring along lots of features such as fairness, transparency & flexibility. Data creators are compensated for their work while improving global economic efficiency across various industries using blockchain technology.

Certified in Data Protection