KYC stands for “Know Your Customer”. It is a process by which an organisation validates the personal and financial information of a potential customer. Often KYC checks may sit alongside KYB, or “Know your Business”, checks.
KYC and Direct Debit
Bacs, part of Pay.UK are the organisation responsible for operating the Direct Debit Scheme. They have created “The Service Users Guide and Rules to the Direct Debit Scheme”. This document, regularly updated, provides information on the rules and best practice that Service Users (the organisations collecting the Direct Debit) should follow.
Within the Rules, Bacs state that it is “strongly recommended” that organisations submitting electronic Direct Debit Instructions to Bacs (using the AUDDIS service) undertake KYC checks. For organisations signing Direct Debit payers up using paperless methodologies such as via the telephone or internet, the Rules go further and state that verification is “mandatory”. The rules state:
Rule: Prior to the origination of any Direct Debits the service user must verify:
- The identity of the payer
- Their address
- Their account details – ensuring that the details provided relate to the payer
Know Your Customer: Requirements
When applying to collect Direct Debits, Service Users are asked to indicate how they will achieve their KYC responsibilities. They are asked how they will achieve the following 4 things when signing up new Direct Debit payers:
- identify the customer/payer and ensure they are who they say they are,
- ensure that the address provided is that of the customer/payer,
- ensure the account number and sort code relate to the payer, and,
- ensure the person is authorised to sign on the bank account.
In addition to processes to be implemented when signing up new Direct Debit payers, Bacs advise that:
“validation and verification must also be undertaken when an existing customer contacts the service user directly to provide alternative account details”.
Risks of not undertaking KYC
KYC is an established practice within the financial world. Undertaking checks is a key way to minimise risk. They help prevent unauthorised / fraudulent DDIs being set up. In turn, this protects the payer from having money removed from their account. In addition, KYC checks protect the scheme by preventing it from falling into disrepute and they protect the Service User. This is because they can help minimise any exposure to reputational and financial risk and prevent Direct Debit indemnity claims being raised against the Service User.
Approach
There are various ways that KYC checks can be performed. Bacs produce a list of “Verification Measures” to help Service Users select the best approach for their business. Note: Bacs do not endorse any particular approach or third-party provider. They stress “This list should not be read or understood as being, in any way, an endorsement or recommendation by Pay.UK of the suppliers or products named”. Ultimately the sponsoring bank will approve the methods undertaken as part of the Service User approval process.
1. Requesting to see customer documentation
The Service User can request documentation from the consumer to help achieve their KYC requirements. As well acting as proof of identity, some of these documents will also help to confirm address and bank details, as indicated below.
Item | Name | Address | Account |
Passport | X | ||
Full driving licence | X | X | |
Household bills – (2 dated within last 3 months) | X | X | |
PSP statement | X | X | X |
Tax bill / notification of tax code | X | X | |
Birth certificate | X | ||
Debit card | X | X |
This approach works best in a face to face environment. It is typically quite manual in nature and can be time consuming, requiring a visual check of documents. It can be difficult to achieve these checks if using telephone or online sign-ups.
2. Interaction with the customer
It is possible to undertake verification checks liaising with the payer without requesting documentation from them. A few ways to achieve this as highlighted by Bacs are listed below.
Item | Name | Address | Account |
Check Existing Records | X | X | X |
Deposit via other method (eg card) | X | X | |
Push Payment | X | X | |
Verify using Paperless Script / Internet prompts | X |
3. Third Party Sources
There are third party organisations who provide information that can be purchased to help with KYC checks. Some of these are listed below:
Item | Name | Address | Account |
Modulus Checking / EISCD | X | ||
Electoral Roll | X | ||
192.com | X | X | |
PAF (Postcode Address file) | X |
Purchasing data or services from a Third Party Provider (TPP) can add cost and it is worth fully understanding what they can and can’t help with.
Modulus Checking
Modulus checking is a mathematical validation process. It assesses whether it is possible for a given bank account number to exist at a given sortcode. These checks can alert an organisation if bank details are incorrect.
- It is highly recommend that Service Users apply modulus checking during sign up. If the Service User is collecting the Direct Debit Instruction via a paperless method e.g. telephone or internet, this could be possible. Modulus checking options are available from a number of different providers. They can be either stand-alone software or provided as part of an integrated approach e.g. built into online sign-up screens or as part of a master database / CRM. The payers account details can be validated by performing the Modulus Check electronically during the sign-up. Any errors can then be flagged to the payer and corrected before proceeding, reducing admin and preventing future errors.
- It is mandatory for Service Users to validate the payer’s account details by applying modulus checking’ prior to submission of the AUDDIS Instruction. All Bacs Approved Software contains modulus checking as part of the Bacstel-IP package. This means that all Service Users can comply with this Rule and perform the modulus check just prior to submission of the details to Bacs.
Whilst modulus checking is extremely useful in reducing errors, it does have limitations:
- It can confirm if it is possible for an account to exist but does not definitively confirm that the account is open. Even with checks therefore it is possible to receive back failed items due to incorrect details.
- It doesn’t verify that the account details provided belong to the payer i.e. that the payer ‘owns’ that bank account. Organisations may need to undertake additional checks to ensure that the name given for the account relates to the customer and the provided sortcode and account number.
Confirmation of Payee
Confirmation of Payee (CoP) is a name-checking service for bank accounts. The service was launched in 2020 by Pay.UK and has grown significantly since this time. Now, approximately 90% of all faster payments are subject to CoP checks.
CoP was developed to help organisations match a bank account name to bank account details such as sortcode and account number. It was developed to provide reassurance that payments were being directed to, and collected from, the intended account holder. It thereby reduces the chance of accidental or deliberate misdirection (e.g. if account details are changed). CoP checks advise that a given name of an account either fully matches the actual account name, partially matches, is no match or can’t be checked. It is undertaken via a real-time API call to the bank so is up to date. If a Service User undertakes a check and are told that the name partially matches or cant be checked, they will need to decide how best to proceed with the transaction.
There are various providers of CoP services that can be used as part of the KYC process.
Open Banking
It is possible to verify information by using a service from a regulated Open Banking provider – called a Third Party Provider or TPP. Open banking allows consumers to share their bank data with a third-party organisation. Once the consumer has given permission, the information is accessed electronically by the TPP via a real-time API (application programming interfaces). The TPP can then present this data to the Service User to help them verify customers and their account details.
There are two main types of TPPs of open banking services – AISPs and PISPs. In the United Kingdom (UK), these types of companies have to register with the Financial Conduct Authority (FCA).
- Account Information Service Provider (AISPs) are organisations that access customer information when they are given ‘read-only’ permission to view the customers bank account. Whilst they are authorised to view bank account information, they cannot initiate payments or transfers. The consumer must give explicit consent. The AISP can then check account details, including account name. This service is useful if there is a need to check for ‘proof of funding’ or credit history and creditworthiness. The AISP collects the data and can then present it to the Service user to help the Service User fulfil their KYC requirements.
- Payment Initiation Service Provider (PISPs) are the other type of TPP for open banking. These organisations act on a consumer’s behalf to initiate payments. This would not be needed if the Service User was using Open banking as part of the Direct Debit KYC checks.
Open banking can remove the need to conduct manual checks such as checking passports or utility bills. It digitalises processes such as retrieving information like name, surname, date of birth etc. This can decrease the time required to undertake checks and remove potential errors. Companies will be able to receive data in a presentable, digestible way.