Know Your Customer (KYC) is mandatory in the UK. With obliged entities being cryptocurrency exchanges, real estate services, iGaming, e-commerce, or financial services, navigating through various compliance regulations can be a hassle. Even though, at this point, everyone knows the importance of identity verification, certain details or small mistakes can lead to devious consequences.
As KYC requirements vary depending on the operating industry and the jurisdiction, it’s crucial for companies to understand the specifics of how to conduct KYC checks, perform due diligence, and prevent money laundering.
What Companies are Subject to KYC in the UK?
KYC is a mandatory practice in the majority of countries, including the UK. In the United Kingdom, implementing KYC regulations has significantly reshaped various industries, reinforcing transparency and security measures.
KYC is also a pivotal component of anti-money laundering (AML) and counter-terrorist financing (CTF) compliance efforts, requiring businesses to verify the identities of their customers and assess potential risks before engaging in financial transactions.
The KYC process extends across diverse sectors, establishing a robust line of defense against illicit activities. Companies from these industries in the UK are obliged to follow KYC requirements:
- Banks and financial institutions. The financial sector is at the forefront of KYC compliance in the UK. Banks, credit and investment firms, electronic money institutions, money service businesses and payment companies are mandated to perform thorough identity verification and due diligence on customers.
- Cryptoasset businesses. With the rise of digital currencies, the need for KYC protocols has grown exponentially. Cryptocurrency exchanges, crypto wallet providers, peer-to-peer crypto transfer service providers, or initial coin offerings (ICOs) must follow KYC requirements in the UK.
- Real estate. Real estate firms, agents, letting agents or businesses that are dealing with buying or selling property in the UK are subject to KYC regulations. Verifying those who are involved in real estate transactions and ensuring that both buyers and sellers are accurately identified helps maintain transparent financial activities.
- Gaming and casinos. In the UK, the gaming and gambling industry faces strict KYC requirements. Operators must verify the identity and age of the customer to prevent underage gambling and illicit financial activities.
- High-value dealers. Recognizing the potential risk of exploiting these transactions for money laundering and illicit activities, the UK has also established KYC requirements for high-value dealers. Antiques, jewelry, luxury goods, and art dealers must conduct KYC checks.
- Independent legal and professional services. Even legal and professional services are not exempt from KYC obligations. Lawyers, accountants, and other professionals who offer real property transactions or financial services are required to conduct due diligence on their clients to prevent their services from being exploited for illegal purposes.
The complete list of UK-obliged entities required to carry out due diligence checks under the Money Laundering Regulations includes: credit institutions; financial institutions; auditors; external accountants or tax advisors; notaries or other independent legal professionals; trusts or company service providers; estate agents, including when acting as intermediaries; letting agents letting land for the equivalent of €10,000 per month or more; other persons trading goods in cash amounting to €10,000 or more; casinos; exchange services between virtual and fiat currencies; custodian wallet providers; art market participants; operators of freeports storing works of art, and insolvency practitioners.
KYC Requirements for UK Banks and Financial Institutions
The Financial Action Task Force (FATF) in the UK is an international intergovernmental organization focused on combating money laundering and terrorist financing.
The UK is a member of the FATF, and it plays a crucial role in shaping and implementing anti-money laundering and counter-terrorist financing policies. The FATF itself has named the UK the “global leader” in promoting corporate transparency.
The UK established KYC and AML requirements through a number of key legislative acts, primarily:
- The Proceeds of Crime Act 2002.
- The Electronic Identification and Trust Services for Electronic Transactions Regulations (eIDAS).
- The Money Laundering, Terrorist Financing and Transfer of Funds Regulations.
Mandatory KYC Documents in the UK
UK banks and financial institutions must check the following documents during their KYC processes:
- Proof of identity. Passport, driver’s license, identity card, or other form of government-issued identification.
- Proof of address. Utility bill, rent bill, phone bill, tax bill, or mortgage statement.
- Proof of income. Tax return, tax statement, letter from employer, pay stub, or recent bank statement.
KYC for Individual and Corporate Clients in the UK
According to the FCA, proof of identity can be collected in document and digital form. Individual UK clients must collect this data to comply with KYC requirements:
- Full name
- Date of birth
- Residential address
- Government-issued identity document
- A second supporting document (issued by a public sector body, judicial or government authority, or other FCA-regulated entity in the UK)
During the KYC process for corporate clients, UK companies are required to gather the following information:
- Full name
- Registration number
- Government-issued identity document
The company needs to verify the corporation’s existence by confirming its listing on a regulated market, conducting a search in the relevant company registry, or obtaining a copy of the company’s Certificate of Incorporation.
Additional information is required for private and unlisted companies. That includes:
- Names of all directors
- Names of those who own or control over 25% of the company’s shares
- Names of related individuals who have control over the company
In the case of private and unlisted companies, after assessing the risk, the company can choose to verify one or more directors as needed, aligning with the Customer Due Diligence (CDD) requirements for individuals.
Regarding beneficial owners, the responsible party must employ a Risk-Based Approach (RBA) to verify the identity of the beneficial owners. Consequently, the three main components of a KYC process in the UK are the Customer Identification Program (CIP), Customer Due Diligence (CDD), and Ongoing Monitoring.
Beneficial Ownership UK Requirements
The UK departed from the European Union on January 31, 2020, and the transition period concluded on December 31, 2020. Despite this major turn, there have been minimal alterations to UK AML legislation, given that the majority of it was established prior to Brexit.
Despite that, to meet compliance requirements in the UK under 4AMLD and 5AMLD, businesses must collect corporate information and, on top of that, gather details about beneficial ownership.
According to the FATF, beneficial owner refers to “the natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted.”
People With Significant Control (PSCs) Data
People With Significant Control (PSCs) is the term used to describe beneficial owners in the UK. To put it simply, a PSC is someone who owns or controls a company. A company can have none, one, or more PSCs.
Within a span of 14 days for any alterations, companies must report PSC information to Companies House, the official UK registry. This data consists of:
- Date of birth
- Usual residential address
- Service address
- Type of PSC conditions
- The date they became a PSC
- If there’s an application for public disclosure protection
UK Risk-Based Approach and Customer Due Diligence Requirements
According to the FCA, companies in the UK should opt for a risk-based approach, which is recommended by the FATF. However, they must construct their own compliance strategies. That’s because there are general guidelines regarding due diligence but no detailed rules explaining how companies should shape their policies.
UK AML regulations describe three main requirements for performing CDD:
- Identify the customer.
- Verify the customer’s identity.
- Assess the nature and purpose behind the business relationship and obtain information where appropriate.
UK KYC Good Practice Guide (GPG)
The UK government also provides a framework of recommendations for identity verification. The mentioned Good Practice Guide (GPG) of Identity Proofing and Verification of an Individual includes these pin-points:
- “Strength” — Collect supporting evidence, or identity documents, for the claimed identity.
- “Validity” — Confirm the validity of the gathered evidence. For instance, inspect the document’s security features.
- “Activity” — Check if the claimed identity has existed over time. For instance, acquire records related to credit history or employment.
- “Identity fraud” — Check if the claimed identity is at high risk of identity fraud. For instance, use special fraud prevention tools, such as Fraud Scoring.
- “Verification” — Authenticate and confirm that the identity belongs to the person making the claim. For instance, using AI-powered KYC verification software.
As the customer’s risk level increases, the company must perform more vigilant identity checks. This is exactly what a risk-based approach is all about. Despite that, additional KYC checks can add unwanted friction for the end customer. For this reason, companies adjust the KYC verification flow based on the level of risk.
UK Customer Due Diligence Measures
The best way to conduct customer due diligence is to ask the customer to provide a government-issued ID document, like a passport. Then, companies typically cross-check the data along with other documents, such as utility bills, bank statements, or other official documents. Other sources of customer information in the UK include the electoral register and information held by credit report agencies, such as Equifax.
In general, the FCA mandates companies to apply customer due diligence measures under money laundering supervision.
Companies need to apply customer due diligence measures when:
- Establishing a business relationship with a customer, as well as another party in a property sale.
- There’s a risk of money laundering or terrorist financing.
- You have doubts about a customer’s identification information that you obtained previously.
- It’s necessary for existing customers. For example, if their circumstances change (a) A big change in the level or type of business activity, or b) A change in the ownership structure of a business)
- If you are not a high-value dealer — when you carry out an ‘occasional transaction’ worth €15,000 or more.
- If you are a high-value dealer, you either a) Make a payment to a supplier worth €10,000 or more or b) Carry out an ‘occasional transaction’ worth €10,000 or more.
Instances for Carrying Out Enhanced Due Diligence (EDD)
Enhanced Due Diligence (EDD) measures are meant for high-risk customers. That means EDD is designed for customers who have a higher risk of money laundering or terrorist financing. This depends on the customer’s jurisdiction, the services or products they are trying to access, or the nature of the customer.
Companies must carry out EDD in several cases, including:
- When the customer is not physically present during the KYC check.
- When you enter into a business relationship with a Politically Exposed Person (PEP)*. Often, it will be a non-UK or domestic member of parliament, head of state or government, or government minister, their family members, as well as close associates.
- When you enter into a transaction with a person from a high-risk third country declared by the EU.
- Other situations where there’s a higher risk of money laundering.
*The government presented an amendment to The Money Laundering and Terrorist Financing Regulations 2023. Starting from the 10th of January, 2024, local PEPs are presumed to have a lower risk compared to international PEPs unless additional risk factors are present.
In cases when EDD requirements must be applied to PEPs, companies need to:
- Ensure that only senior management gives approval for a new business relationship.
- Take appropriate measures to establish where the person’s wealth and the funds involved in the business relationship come from.
- Perform stricter ongoing monitoring of the business relationship.
Internal Business Controls and Ongoing UK KYC, AML Practices
Ensuring proper fraud prevention doesn’t stop at the first onboarding stage. After KYC verification, companies must take appropriate steps to prevent any sort of attempts to use them as a money laundering channel. Ongoing monitoring helps businesses detect suspicious activities and prevent potential threats.
To build an adequate AML compliance program, UK companies must include the following controls:
- Appoint a nominated officer and ensure that all employees know how to report suspicious activities to them.
- Appoint a compliance officer in cases when the business is larger or has a more complex structure.
- Identify senior managers and their responsibilities while providing them with up-to-date regulatory compliance information on money laundering risks.
- Train employees on KYC/AML policies and their responsibilities.
- Update and document KYC/AML policies, controls, and procedures.
- Introduce new measures to ensure that the risks of money laundering are properly monitored in the day-to-day running of your business.
Use iDenfy’s KYC Tools to Ensure Compliance in the UK
It’s crucial to know everything from A to Z when it comes to performing KYC checks in the UK. That includes using robust AML tools to adapt to your industry specifics and automate complex, lengthy processes that cause never-ending headaches to compliance teams.
iDenfy’s KYC toolkit includes:
- AI-powered and manual verification of identity documents
- Biometric and liveness checks to match the user with their document
- Reading and processing NFC data
- Automated AML screening and ongoing monitoring checks, such as PEP, sanction list checks, and global watchlists.