Publications

KYC (Know Your Customer) – what is this procedure?

⟨⟨ Back

Entities obliged to apply the provisions of the Anti-Money Laundering and Countering the Financing of Terrorism Act (hereinafter AML Act) must design and implement a procedure referred to as KYC (Know You Customer). What is the relationship of KYC to AML and how to properly implement KYC in your business?

Who must apply the KYC procedure?

The KYC procedure is mandatory for all companies that have acquired the status of a mandatory institution within the meaning of the AML Act. It is an extensive – and updated from time to time – catalogue of entities which includes, among others:

  • banks, credit institutions and cooperative savings and credit unions;
  • national payment institutions, small payment institutions and electronic money institutions;
  • investment firms;
  • investment funds; and ASIs;
  • Insurance companies and insurance intermediaries;
  • traders providing certain virtual currency services;
  • accounting firms.

It is worth remembering that the only criterion in determining whether an entrepreneur is an obliged institution is its business profile. Its scale is irrelevant. In order to find the answer to the question of whether you are obliged to apply the KYC procedure, determine whether your company is an obliged institution within the meaning of the AML rules.

What is the application of the KYC procedure?

The Know Your Customer procedure aims to obtain the most reliable and complete information on a counterparty, verifying its business profile and reliability. It is not only about identifying personal data, but also determining the counterparty’s transactional profile and whether the risk generated by the counterparty is low or high.

A properly implemented KYC policy aims to increase the security of trading and to determine whether a counterparty is engaging in money laundering or terrorist financing activities.

The KYC procedure should not be confused with the procedures for applying sanction lists, whether Polish, foreign or international. Although the two tools are similar in places, all businesses, not just obliged institutions, are required to implement a sanctions list compliance mechanism.

What is the relationship between KYC and AML?

The KYC procedure is an integral part of the AML policy, which means that companies must follow a risk-based approach. In this case, the legislator only indicates the results to be achieved by the obliged institutions without specifying how the objective can be achieved. It is up to the firm – taking into account the degree of risk, the complexity and scale of its business, its client portfolio and the number and value of its transactions – to tailor its internal procedures so that KYC can be achieved.

How to implement the KYC procedure in a company?

Guidance on how to implement a KYC procedure in an obliged institution is provided by Article 34 of the AML Act. It provides for the following financial security measures:

  • identifying the customer and verifying the customer’s identity;
  • identification of the beneficial owner and taking reasonable steps to verify its identity and determine its ownership and control structure;
  • assessing the purpose and nature of the business relationship;
  • ongoing monitoring of the client’s business relationship, including:
  • analysing the transactions carried out in the business relationship to ensure that they are consistent with the institution’s knowledge of that client and the level of risk
  • assumed;
  • investigating the source of assets at the disposal of the client, if justified by the circumstances;
  • ensuring that the documents, data or information held are kept up to date.

When to use the KYC procedure?

Verification of the identity of the customer and the beneficial owner should take place before the business relationship is established. What should happen for an obliged institution to have to trigger the KYC procedure? These situations are mentioned in Article 35 of the AML Act:

  • the establishment of a business relationship – the AML Act defines a business relationship as a relationship between an obliged institution and a customer related to the obliged institution’s professional activity, which at the time of its establishment bears the characteristic of permanence. In practice, this can be either a single contract or a whole series of them;
  • carrying out an occasional transaction exceeding threshold amounts (by default 15 thousand euros, 1 thousand euros for money transfer and virtual currency, 10 thousand euros for a cash transaction);
  • betting on or receiving winnings of EUR 2 thousand or more;
  • suspicion of money laundering or terrorist financing;
  • doubts about the veracity or completeness of customer identification data obtained to date;
  • access to anonymous safe deposit boxes.

In addition, financial security measures should be implemented if the relationship with the customer changes, e.g. as to its nature or circumstances, as well as changes in the customer’s details or its beneficial owner.

It should be mentioned that the application of financial security measures in the aforementioned cases is mandatory. It should not be the case that these measures are taken selectively, only in relation to selected groups of customers, although the scope of the procedure itself may be somewhat different depending on the degree of risk.

What is an obliged institution to do if it cannot apply the KYC procedure?

Sometimes, despite the efforts of the obliged institution, it will not be possible to apply security measures, e.g. due to a highly complex ownership structure and the inability to identify the beneficial owner. What to do in such a situation? The answer is provided by Article 41 paragraph 1 of the AML Act, according to which one should:

  • not establish a business relationship;
  • not carry out an occasional transaction;
  • not carry out transactions in favour of a bank account;
  • terminate the business relationship.

In addition, the obliged institution should consider whether the inability to apply financial security measures justifies submitting a notification to the GIIF.

What are the risks in favour of not implementing a KYC procedure?

Failure to implement a KYC procedure – like failure to comply with AML obligations – carries the risk of severe sanctions. Among the possible penalties, it is worth mentioning a high fine imposed by the FSA, revocation of a licence, permit or concession of a regulated activity, or even striking off the register. The penalty is imposed under the administrative procedure, which means that, upon appeal, a party has the right to file a complaint with the WSA.

Does the application of KYC always look the same?

The security measures implemented as part of AML procedures can be applied in a standardised manner, as well as in a relaxed or enhanced manner. It is up to the obliged institution itself to decide whether in a given situation there is a reason to relax or increase the rigour of the counterparty verification criteria; the legislator only gives general guidance in this respect:

  • a lower risk of money laundering and terrorist financing is indicated, inter alia, by the fact that the counterparty is a resident of a Member State, a public finance sector entity or a state-owned enterprise;
  • an increased risk of money laundering and terrorist financing is indicated e.g. by the establishment of business relations in unusual circumstances, by being a resident of a country with a higher AML risk, by an unusual or excessively complex ownership structure of the customer, not justified by the type and extent of the activity, or by the use of private banking instruments.

AML/KYC compliance – Linke Kulicki Law Firm

If your company is an obliged institution, be sure to properly design and apply a KYC procedure. If in doubt, we will help you comply with AML compliance requirements. Linke Kulicki Law Firm has been supporting its clients for years in the effective implementation of AML and terrorist financing regulations regardless of the industry.