When you were growing up, your parents probably did business with merchants who knew them by name as soon as they walked in the door — and if that merchant was a doctor or pharmacist, they maybe knew more about your folks than they wanted to admit. Yet today, it’s a running joke when regulars at places like Starbucks walk out with their names spelled wrong on their cups. Today, it’s almost impossible for companies to know all of their customers personally.
In my hometown, there was a local market called the Quito Market. My mom would shop there just about every day because she liked fresh items for dinner each night. Oh, I wish I was more like my mom! The owner, Gene, knew my mom and all of us by name. He knew me so well he invested in me, sponsoring many of my swimming fundraisers. He didn’t expect anything from us in return, because he knew we’d keep coming back to shop. In a very high-tech way, that’s what Know Your Customer (KYC) is: helping payment processors, the banks we work with and the card brands get to know our customers. By getting to know your customers, you know whom you are working with so you can be confident they are going to abide by the rules.
You need to identify and verify the identity of customers and the beneficial owners of companies, understand the nature and purpose of the businesses to create a risk profile and conduct ongoing monitoring to report suspicious transactions.
For several months we’ve been focused on preparing for the new Mastercard regulations, making sure merchants are all in compliance, but we’ve also been focused on merchant KYC, in the form of a Customer Due Diligence (CDD) update. This month, we dive into what that is and how best to prepare to remain card-compliant.
WHY SHOULD YOU DO KYC UPDATES?
When payment processors go through an annual KYC look-back with merchants, each year the same questions often crop up, like “Why do we have to do this and how come other companies don’t require regular KYC updates?” While it is time-consuming and, some would say, a pain to gather all of this type of documentation like IDs and other paperwork, it is worth it.
Twenty years ago, when I started in this industry, all a merchant needed to do was fill out an online application and hit “agree” as a signature, and they would be approved for processing. There was little to no review process. Boy, have things changed! There are several components to a CDD: You need to identify and verify the identity of customers and the beneficial owners of companies, understand the nature and purpose of the businesses to create a risk profile and conduct ongoing monitoring to report suspicious transactions.
The CDD helps providers know more about their clients, helping them to establish a stronger and more transparent working relationship. In return, it helps protect them against online fraud, fines, reputational risk and poor customer service.
HOW CAN KYC AND CDD HELP PROTECT YOU?
CDD comes from standards set by EU anti-money-laundering directives; FINCEN, an agency of the U.S. Treasury; and intergovernmental organizations like the Financial Action Task Force. Our acquiring partners are also subject to the same regulations and are required to hold CDD on their clients. As a licensed payment institution with the Central Bank of Ireland and UK Financial Conduct Authority, we are regulated to comply with EU law.
CDD validates methods used to monitor, remediate and respond to customer complaints. Processors are required to conduct necessary CDD checks to enter a business relationship and provide payment services to a merchant. Not to mention, processors are regularly audited by their acquiring brands and by the regulatory bodies of Europe and the U.K., to be sure they each have current and complete CDDs on their merchants.
If a processor doesn’t have sufficient KYC files, they could potentially lose accounts with their acquirers, lose their license to process and not be able to handle funds with EU or U.K. banks. Also, not meeting these regulatory guidelines results in large fines for the processor. CDD requirements are also expanding thanks to new requirements from acquirers and card brands. The requirements themselves vary geographically. For example, they are different in the U.S., U.K. and EU. To stay in compliance, we should all adhere to the highest standards. Being compliant today saves headaches tomorrow!
WHAT ARE THE LATEST REQUIREMENTS?
So, what are the latest requirements for merchants? Grab your notepad, because we’ll break down what you need to know.
First, you’ll need all corporate documents. These include a corporate certificate, operating agreements and shareholder documents. You’ll also need drivers’ licenses and/or passports along with a utility bill from all directors and Ultimate Beneficial Owners who own more than 10% of the company. You’ll need the tax ID in the U.S. or VAT ID if in the EU or U.K., and all bank statements in the name of the company, with matching addresses of the company. Card brands require you to show an office lease to validate the merchant’s location. Adult content questionnaires need to be filled out which include age verification and consent moderation policies.
New to the CDD is a Self-Assessment Questionnaire (SAQ) for payment card industry (PCI) compliance. This is being requested by several U.S. and EU banks. This SAQ is designed to show that the merchant knows how to handle sensitive data. You’ll also have to show a diagram of the corporate structure. There are several tools available for creating one, like Organogram Templates for merchants.
The best thing you can do to be prepared is to keep your own CDD files current and easy to access. This means you can quickly gather the utility bills of directors and/or partners, and when your processor’s acquiring partners ask for the files to audit, the request can be turned around in less than two weeks. Lastly, make sure the processing partner you work with, whether it’s directly with an acquirer, through an ISO or with a payment facilitator, is the one asking for this information.
If gathering all these types of KYC or CDD files blows your mind, reach out to a trusted payment processor to help you get organized and streamline what’s needed.
Cathy Beardsley is president and CEO of Segpay, a global leader in merchant services offering a wide range of custom financial solutions including payment facilitator, direct merchant accounts and secure gateway services. Under her direction, Segpay has become one of four companies approved by Visa to operate as a high-risk internet payment services provider. Segpay offers secure turnkey solutions to accept online payments, with a guarantee that funds are always safe and protected with its proprietary Fraud Mitigation System and customer service and support. For any questions or help, contact sales@segpay.com or compliance@segpay.com.