Know Your Customer Guidelines
When merchants are looking for ways to avoid ecommerce fraud and the chargebacks that inevitably follow, it can be beneficial to look at what other industries are doing—especially industries that are required by law to take added precautions against fraud and abuse.
Know Your Customer regulations have been in place for banks, payment processors, and other financial service providers for many years, and some of the safeguards and practices they have to follow can also protect merchants who are dealing with increasingly complex and sophisticated fraud attacks. How can following Know Your Customer guidelines help merchants prevent fraud and chargebacks?
Originally conceived of as a way to deal with problems like money laundering and tax evasion, Know Your Customer (KYC) is an old concept that picked up a lot of legislative momentum after the 9/11 attacks.
Following the passage of the PATRIOT Act, banks and other financial institutions were required to follow specific KYC guidelines in order to prevent terrorist organizations from using established banking systems to fund their activities.
Terrorism may have given KYC regulations a high-profile reason to exist and be enforced, but KYC practices can also be effective at catching out nonviolent fraudsters and cybercriminals.
As merchants content not only with “traditional” credit card fraud but attacks like triangulation fraud, account takeover, and synthetic identity theft, these same KYC practices can help them strengthen their internal security, identify fraudsters and compromised accounts, and prevent the costly and unwinnable chargebacks that arise from true fraud.
What is KYC?
The purpose of KYC is to know that the individual signing up to use your services really is who they claim to be. This is done by verifying their identity and making sure that they aren’t on any government or industry lists of fraudsters, criminals, or terrorists. KYC enables organizations to do an accurate risk assessment of the people doing business with them.
Most KYC practices involve requesting information and documents from the customer, confirming their validity, and checking them against any relevant databases that might provide additional information.
The downside of KYC is that all of these questions and verifications can cause customers to react negatively. KYC checks can slow down signup and onboarding processes, and can feel intrusive to customers who place a high value on their privacy.
For merchants and others who make use of KYC by choice, rather than by law, it’s important to strike a balance between gathering useful, relevant information and maintaining a streamlined and pleasant experience for the customer.
Even when the law puts specific requirements in place, it’s not always clear what KYC procedures must entail. Title III of the PATRIOT Act, for example, requires financial institutions to engage in two forms of KYC: they are required to run a Customer Identification Program (CIP) and perform Customer Due Diligence (CDD).
The requirements for the latter are not spelled out in great detail, because they depend greatly on the customer’s specific individual circumstances. Enforcement of these requirements is managed by FinCEN, the Financial Crimes Enforcement Network—a bureau of the United States Department of the Treasury.
How Can Organizations Meet KYC Requirements?
For businesses subject to the banking regulations in the PATRIOT Act, complying with the KYC rules means implementing both CIP and CDD. CIP is relatively straightforward. You can ask the customer for a driver’s license, passport, or some other form of official government ID in order to verify their identity. Individuals applying for business accounts may also be asked to provide documents, references, financial statements, and other information.
CDD is less cut-and-dried than that. The point of CDD is to be able to determine how risky or potentially illegal a customer’s actions might be, and to identify and predict suspicious or anomalous behavior.
To achieve this, you might have to ask more probing questions about why the customer wants to open a new account, what purpose it’s for, where their funding comes from, and how their business operates. When a bank or financial institution believes that one of their customers is engaged in suspicious, possibly-criminal activities, they are obligated to report them.
Merchants aren’t subject to the same KYC laws as financial institutions, so when merchants adopt KYC practices they can do so with a focus on verifying customer identities in order to prevent fraudsters from signing up, and perform ongoing due diligence in order to identify anomalous orders that might be the result of things like account takeover fraud.
Why Should Merchants Adopt KYC Practices?
While there are attacks (such as friendly fraud) that involve known and verified customer identities, the majority of fraud is carried out by people who are pretending to be somebody else. With credit card fraud, they’re pretending to be the cardholder.
Account takeover fraud involves fraudsters hacking into existing customer accounts and using them for their own purposes. In new account fraud, you might see fraudsters using stolen or synthetic identities in order to start brand new, legitimate-looking customer accounts that evade fraud filters. Then there’s triangulation fraud, where cybercriminals set themselves up as ecommerce storefronts designed to trick consumers into placing real orders.
KYC processes can provide merchants with an early warning system against attacks like these.
When you know your customer’s identity and typical shopping patterns, it’s easier to spot and flag unusual orders or erratic behavior.
This can help you configure more effective fraud filters and make more accurate determinations when subjecting flagged orders to manual review.
Conclusion
As a specific set of legal guidelines outlined in the PATRIOT Act, KYC is required only for financial institutions. However, as a more loosely-defined concept about verifying your customers’ identities, understanding who they are and how they shop, and using that knowledge to inform your fraud and chargeback prevention strategy, KYC is a must for every merchant.
For merchants who sell high-value or age-restricted products, strict KYC requirements may be of added importance and customers should expect and understand the reasons for heightened security.
Other merchants may have to take a lighter, more creative touch when it comes to authenticating and learning about their customers. Either way, the power of knowledge can always give you a leg up when it comes to dealing with fraudsters and hackers.
Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com.
