While you may be aware that payment providers help safeguard corporate funds from fraud, do you know the critical role they play in helping to thwart money laundering, terrorist financing, and other illegal operations?
Know Your Customer (KYC) regulations were first enacted in the 1990s to combat money laundering and were made more stringent after 9/11 through additional provisions in the Patriot Act of 2001. These provisions require payment providers – along with financial institutions, merchant acquirers, fintech companies, and others dealing with money transfers – to conduct due diligence on their customers to help protect the national payments system from financial crimes. To mitigate the risk of foul play, these providers must identify and verify the identity of all their customers.
Common Questions about the KYC Compliance Process
What do these KYC regulations mean for you as you implement an AP automation platform and payment provider? Below are answers to eight frequent questions we hear from new customers about KYC compliance:
1. How does KYC compliance help protect against bad actors?
By requiring banks and other payment providers that handle money transfers to verify that companies making and receiving payments are who they say they are, government regulators can protect our financial system from bad actors. It is the first step in identifying and preventing the financing of terrorism and drug smuggling, corruption schemes, money laundering, and other crimes.
2. What type of information do you need from my company for KYC purposes?
During the onboarding process, we will ask for business information, including your taxpayer identification (TIN) number. In addition, we will ask for the social security numbers of the beneficial owners of your company, as well as one control person. A control person is defined as a single individual (natural person) with significant responsibility to control, manage, or direct a legal entity (e.g., CEO, CFO, COO, president, Vice President, Managing Director, etc.) or any other person who regularly performs similar functions.
3. Why do we have to provide social security information?
To establish that no bad actors are involved in transferring and receiving funds, the Patriot Act requires financial institutions to verify the identity of their customers before engaging in business. The TIN is one of the best ways to verify the identity of customers during onboarding. That’s why we collect the social security numbers of the beneficial owners of companies that make payments through MineralTree.
4. Will you contact us on an ongoing basis about KYC compliance?
No, you can expect to just hear from us about this during the onboarding process.
5. Why is MineralTree asking for this information – aren’t you a software provider?
We are involved in the transfer of funds, and as such, must be in compliance with KYC regulations.
6. Does every payment processing company ask for this KYC information?
Yes, every payment processing company is required by law to conduct this KYC verification process.
7. Does KYC compliance benefit us?
The KYC process also helps to protect your company. If your company inadvertently sends money to bad actors, it will put you and your suppliers at risk. You have the protection and peace of mind in knowing that all of our customers have gone through this process.
8. How do you keep our information secure?
MineralTree has implemented rigorous security policies, procedures, and tools across our entire organization. Because of the breadth of customers– from public companies who must comply with Sarbanes-Oxley, to healthcare providers who may have patient health information (PHI) in their AP workflow – we have pursued the most extensive security certifications and audits in the market.
The information we collect for KYC is closely held with stringent access protections. We have partnered with industry leaders in verification and fraud prevention software services to perform the required due diligence in house.
Some of our overall security measures include:
- Strict employee controls and access – All of our employees are subject to independent background checks and must complete regular security training. We allow access to systems based upon role, least-privilege and need-to-know principles and we perform regular internal audits to ensure that only authorized users have access.
- Data classification, encryption, and retention – We classify the data we manage by sensitivity to ensure it is protected with sufficient controls. Data classifications include PCI, PII, and PHI. All data is encrypted in transit over the public internet and PCI, PII, and PHI data is encrypted at rest with strong ciphers like AES with large keys (256-bit). Data is only stored as long as required and is destroyed in a secure fashion when no longer needed.
- Network, system, and application management – A comprehensive change management process ensures that all changes have undergone QA, have been peer reviewed to ensure adherence to security and coding best practices, and have been approved. All systems are built using hardening standards, and are protected with firewalls and anti-virus, DLP, and IDS software. In addition, systems undergo regular vulnerability scans and penetration testing.
- Vendor management – We have implemented a third-party vendor management program to ensure that our services providers meet or exceed our security standards. Agreements with vendors include SLAs and NDAs.
In addition, we are compliant to two security regulations that are relevant to KYC:
- SOC 1 Type 2 compliance: Assures our customers that MineralTree has implemented internal controls to protect their financial data and ensure the integrity of their payments workflow. Our Type 2 report is completed every six months.
- SOC 2 Type 2 compliance: A third-party auditor verifies that our security controls meet AICPA’s five trust service principles for managing and protecting customer data: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
KYC Compliance Gives Us—and You—Peace of Mind
Given today’s realities, we need to take measures to prevent financial crimes and ensure that our national payments system is protected. Our KYC procedures do just that, and, along with the stringent security measures we put in place, they reduce risk, protect everyone, and give you the peace of mind to make payments and conduct financial operations without having to give it another thought.
