How KYC/AML regulations affect businesses and customers

Money laundering has received a lot of attention due to the recent cases of high-profile financial crimes. As new technological loopholes appear, both customers and businesses face increased risk if the security measures are outdated. Many businesses are implementing KYC and AML-related regulatory measures to ensure security and compliance. However, these regulations have a major impact on both financial companies and their customers.

Learn from our article what KYC/AML regulations are and how they impact businesses and customers:

What is Know Your Customer (KYC) and why is it important?

Ensuring that you know who your customers are is known as Know Your Customer. KYC does not have a separate law that explains the process in full detail. However, KYC criteria have been incorporated into several European regulations; in accordance with the regulation's objectives. The authenticity of a customer's identity and risk characteristics can only be established if KYC standards are adhered to. However, it's difficult to implement these plans without the cooperation of both the customer and the business. This segment will discuss what KYC is and why it is important. 

Definition of Know Your Customer (KYC)

KYC is a process used by institutions to verify customers' identities before allowing them to use their services. It may consist of the institutions' asking their customers to provide IDs, addresses, and other documents the institution may find necessary. It works with anti-money laundering rules and regulations to guard against financial crimes. 

All financial institutions are required to adhere to KYC rules when onboarding a customer or a client. It includes banks, credit unions, wealth management and broker firms, fintech companies, lenders, and lending platforms.

The KYC process includes customer identification, due diligence, and continuous monitoring to confirm that customers are who they claim to be, as well as to assess their level of risk and flag any unusual activity. It's possible for KYC to be triggered even if there are no suspicious transactions taking place.

What is the main goal of Know Your Customer?

The objective of KYC is to ensure that their customers are not using the services for criminal activities. It is the primary step for banks and other financial institutions to prevent financial crimes and money laundering activities. Knowing about a customer beforehand enables banks and financial institutions to manage the potential risks diligently. KYC is used by all financial institutions to help the anti-money laundering department stop illegal activities from getting money to pay for them.

What is anti-money laundering (AML) and why is it important?

Money laundering is the practice of attempting to hide the source of money gained unlawfully through a series of transfers and activities. An important part of this procedure is ensuring that money can be used in the legal economy.

Efforts to prevent criminals from passing off stolen money as legitimate wages are referred to as anti-money laundering efforts. AML policies and procedures are aimed at combating money laundering and terrorist financing, at preventing criminals from concealing the source of cash used in unlawful activity, and are in place to assist financial institutions in their fight. In the EU, member states have been given standards for AML legislation that are highly standardised. Sweden's Anti-Money Laundering Act (the Money Laundering and Terrorist Financing Prevention Act) provides the administrative framework for businesses in specific areas. Banking, real estate, accounting, and insurance are a few of the many professions that fall under the purview of this regulation. 

Different countries have different AML legislation, but all of them require that banks maintain a comprehensive set of standards in order to stay compliant. The European Union has passed and is constantly updating anti-money laundering and anti-terrorism financing rules and regulations. These policies explain in great detail how a financial institution's people, processes, and technology work to prevent the reintroduction of illicit cash into the system, and they also help set the tone for the company and create a culture of compliance.

How has European legislation forced the rest of the world to follow KYC and AML?

European legislation led the rest of the world to follow KYC and AML. Due to global connectivity, there is no need for companies to have a physical presence. KYC for businesses are now more convenient. Companies can now expand to any location online. However, if there's money involved (and it will), the financial laws of different countries will get involved. Every new jurisdiction has its own set of regulations, and no financial institution can afford to ignore these requirements. If a business wants to cater to European customers, they will have to follow European laws. European legislation has played an important role in paving the way for the rest of the world to follow in this ever-changing scenario. The legislation, such as the AML Directive, the PSD2, the MiFID II, and the GDPR, aims to combat money laundering through rigorous inspections, improve cross-border cooperation, encourage customer-centric banking innovation, and emphasise combating payment fraud. Businesses are expected to comply without exception if they want to continue operating. 

List of regulations that affect businesses

It is critical to understand the macroeconomic and geopolitical background that preceded the adoption of financial regulations in Europe. The world was engulfed in the global financial crisis, and many people were baffled as to how their countries' banking systems got into such a mess in the first place. More people have begun to question how their personal data is being retained and used by companies. There was a growing public distrust of corporations. The Panama and Paradise Papers further heightened public awareness of the widespread use of money laundering tactics in our communities. Furthermore, tragic terrorist incidents have re-emphasised the importance of implementing comprehensive tactics to thwart the funding of terrorism at all levels of government. The following are a number of rules aimed at resolving various problems the financial sector has been confronted with over the last decade. 

Anti money laundering directive

The significance and the impact of the AML directive were felt when the 4th Anti-money laundering directive amendment was published. This was because the anti-money laundering space could finally be incorporated into a comprehensive regulatory framework. AMLD4 paved the way for a central registration for beneficial owners and customer due diligence standards were revised.

AMLD5 simply extended their provisions to art dealers and member state governments. Citizens all around the EU will be able to view beneficial ownership registries under AMLD5, which requires registers to be made publicly available. National beneficial ownership registers for trusts were also mandated as part of the agreement. Additionally, a central register of politically exposed persons, or PEPs, was established under the auspices of AMLD5. Even more importantly, the European Union's electronic signature standard, or eIDAS, was specifically supported, allowing European financial institutions to digitally sign all of their onboarding forms.

The 5th AML Directive applies to a number of other sectors, but they are not as important as the ones discussed.

The 6th AML Directive was issued in order to complete the legal framework and improve the ability of member states to combat financial crime. The most recent order expands criminal culpability and imposes harsher penalties on those who are convicted.

Payments services directive

The original PSD, or Payments Services Directive, was designed to create a unified market for payments in the European Union. PSD2 was launched later in an effort to increase competitiveness between European banks and new payment service providers who'd been challenging the market driven by customer service and seamless mobile device experiences. Bank customers are now allowed to use third-party providers to manage their money thanks to PSD2, and banks are required to provide open Application Programme Interfaces (APIs) for users to access their accounts. 3rd party providers can either be Account Information Service Providers or Payment Initiation Service Providers. AISP has access to the bank account details of your customers. PISP can initiate a payment on behalf of a customer without the need to manually enter credit card information for each transaction. If a user gives their permission, a PISP can take money out of their account right away.

Strong Customer Authentication is one of the most critical enhancements for organisations' compliance operations under PSD2. To meet the SCA requirement, transactions in the European Union must be protected by locks that use a password or code, locks that use device authentication, or locks that use biometrics. 

Markets in financial instruments directive

The first version of the Markets in financial instruments directive was enacted to promote fair competition for companies in the European Union's financial markets and to assure uniform protection for consumers. MiFID II replaced its predecessor and came into effect with a wider range of provisions. MiFID II includes the Markets in financial instruments regulation (MiFIR) with other delegated acts and guidelines.

MiFID II was published to strengthen the financial system's credibility and rebuild public trust after the Global Financial Crisis. All financial institutions in the EU, such as banks and insurance companies, as well as wealth managers and broker-dealers, are now covered under the Directive. It also includes companies from outside the EU that provide financial services in Europe.

Under MiFID II, financial institutions must do a far better job of informing their customers. Before entering into a commercial agreement with a customer, financial institutions are obligated under MiFID II to assess the customer's risk tolerance and ability to sustain losses.

Organisations will need to process and analyse more data to come up with new criteria. In order to comply with MiFID II, organisations must comprehend their data, analyse and report on it, and track the decision-making plan to make sure that all available information is considered. This means a lot more information on potential customers and their assets is now required for businesses. The KYC requirements for businesses' compliance teams have increased as a result of the necessity to document suitability and appropriateness assessments and the management of client assets. 

General data protection regulation

Personal data has grown exponentially in recent years, and the General data protection regulation was created to help users regain control of their personal data. Transparency is the overarching premise that underpins the new laws. Member states do not need to pass a local law to enforce GDPR because it is a regulation. This rule applies to every organisation that gathers or handles personal data from people in the European Economic Area (EEA), regardless of location.

The GDPR requires firms to provide clearer conditions attached to the services and a right to withdraw consent at will. As a result, individuals can now exercise their right to be forgotten by requesting the complete deletion of any private information pertaining to them. They can also seek access to information on how particular organisations handle their data. The GDPR requires organisations that process significant volumes of personal data on a regular basis to appoint a Data Protection Officer (DPO). The DPO should be well-versed not only in data protection legislation but also in current IT practises and data security. Furthermore, companies outside of the European Union have to have an EU-based line of communication for GDPR compliance. The organisation must notify the proper regulatory authorities within 72 hours of becoming aware of a data breach. If the data breach contains personal details that could have a detrimental effect on them, the affected parties should be notified as soon as feasible.

How these regulations impact businesses?

The AML Directive brought a thorough regulatory structure to AML. AMLD4 introduced a central registry and changed customer due diligence requirements. Financial companies are now required to take a risk-based approach towards their customers and follow those risk-based policies. AMLD5 extended the AMLD4 and specified politically exposed persons in more detail in the central registry. AMLD6 introduced a comprehensive list of AML offences with tougher penalties. The AMLD and its amendments pushed most financial companies to examine their existing risk policies, which pressured risk and compliance teams to redesign their policies to comply with the directive. The new risk-based approach requires companies to implement different rules to onboard low and high-risk customers. Failure to comply puts companies at risk of being double fined for a single breach. 

MiFID II forced investment companies to be more transparent with their clients regarding their products and prices, but they were also expected to know more about their clients, including their risk tolerance. As a result, businesses must now gather a considerably larger quantity of KYC data during client onboarding, resulting in more data to process and customise customer journeys to match the new criteria. 

PSD2 created an atmosphere in which banking as we know it has changed dramatically by advancing open banking across Europe. As specified in the rules, the most obvious actions banks have taken are to develop their APIs and give relevant tools to allow developers at third-party companies to create new apps. Strong consumer authentication is one of the key needs that has undoubtedly kept compliance teams busy. Any organisation in the e-commerce and payments area needed to review their present systems to incorporate SCA methods while maintaining the seamless digital experiences that people had grown to expect. The new rules have obvious consequences for the KYC procedure as well. More businesses are implementing multi-factor authentication credentials. This helps to provide an excellent customer experience and lowers the chance of drop-offs.

Companies had to consider GDPR requirements in KYC/AML procedures, execute their clients' right to be forgotten, encrypt all information, and comply with data processing. Due to the pervasiveness of data in today's operations, maintaining GDPR compliance necessitates considerable coordination among several departments, including legal/risk, IT, and marketing. It's critical to map out when and what data is gathered from consumers, storage, and access. Such installations and collaboration are not cheap. Sia Partners estimated the cost of GDPR compliance to be €16.7 million, with banks being the group with the greatest predicted spend. 

What is the impact of regulations on customers?

While companies face intense compliance measures from AML directives, customers and clients face restrictive and often tedious processes during their onboarding. Based on the customer's risk profile, they may need to provide additional documents, have their transactions delayed due to additional checks, and overall be restricted in their access and use of the financial institution's services. And while many financial organisations have implemented automated systems to reduce KYC, the experience is still not as seamless as customers want. 

Lack of harmonisation in KYC compliance poses further problems for customers and clients when being onboarded to a financial service in another EU state. The requirements for KYC compliance vary from member state to member state. Financial companies in one member state may be satisfied with an ID document to comply with KYC, but another company in another state may want additional documents, some of which may not exist in their country.

The most far-reaching issue that comes with KYC is its conflict with GDPR, especially the right of data erasure. AML regulations require financial institutions to retain their clients' data for five years or more, depending on the local laws. Of course, what most people do not know is that article 6 of the GDPR allows data collection and processing to comply with AML regulations. Furthermore, Article 17 of GDPR further solidified that legal requirements take precedence over the right to be erased, and the right to be erased will not apply until the legal period (5 years under AML regulation) ends. 


Each regulation appears to be backed by a few core ideas, notwithstanding their differences in scope and application. Most of them are aimed at resolving the long-standing power imbalance between consumers and businesses. These new laws allow customers more control over who has access to their data and how it can be used, including to manage their financial and investing affairs. In practise. Another key rule is openness and honesty. There is no doubt that the new regulations are making an effort toward transparency, whether it's providing clients with clearer information about financial investments, creating official registries to better understand companies' ownership structures, or providing access to the data that a specific company holds about us.

It isn't easy to adhere to KYC and AML regulations without sacrificing some level of customer satisfaction. Customers want seamless, completely digital, and mobile experiences; they do not want to deal with all the gruelling policies regarding their data. Businesses know it, but they are obligated to follow the legislation nonetheless. If a customer does not wish to follow through, companies have no choice but to reject the admission. For the company, it is better to let a potential customer go than face lawsuits later for failure to follow KYC.

Onboarding a new client/customer is a difficult process marred by barriers, and it can cause disillusionment both amongst the customers and the businesses. Coupled with the unwillingness of the customers to share data, onboarding becomes unnecessarily lengthy and eventually ends up with data gaps. It costs business time and money to fill those gaps and there is the risk to lose a customer on top of the fines. It presses businesses between a hard place and a rock, and there is no choice but to let go off the potential customer. 

Last update:

Other articles

Disclaimer: Some text on this website is purely for marketing communication. Nothing published by Quanloop constitutes an investment recommendation, nor should any data or content published by Quanloop be relied upon for any investment activities. Quanloop strongly recommends that you perform your own independent research or speak with a qualified investment professional before making any financial decision.