A Guide to Customer Onboarding for Fintechs: Part I
Knowing your customer is the hardest part of the business
So, you want to build a digital bank in Nigeria? Join the club. In recent weeks, I've seen more new entities pop up on NIP than I can count. It seems like everyone wants a piece of the fintech pie. And why not? Fintech is easy, right?
Well, not so fast.
Before you get too carried away with fancy UI designs and dreams of disrupting the banking sector, let's discuss the elephant in the room: compliance. I know, it's not the sexiest topic, but trust me, it's one you'll want to pay attention to unless you fancy a visit from our friends at the Central Bank of Nigeria (CBN).
Here's the thing: that shiny new microfinance banking license you're so proud of? It makes you a bank, whether you like it or not. I know what you're thinking: "But we're different! We're digital! We're innovative!" Sure, you are, but to the CBN, you're just another financial institution that needs to play by the rules. And let's be honest, you're already pushing your luck by using a license meant for community financial inclusion to build your fancy digital platform.
Now, the CBN has laid out some clear guidelines on customer due diligence. The problem? They were written with traditional banks in mind - you know, the ones with actual buildings and tellers and those little pens on chains. For you, my digital-first friend, this presents a unique challenge: how do you verify customer identities without the luxury of face-to-face interactions?
To make matters more interesting, the CBN hasn't exactly rushed to put out e-KYC guidelines that they reference so often. So, you're left trying to fit your square peg of a digital bank into the round hole of regulations designed for the brick-and-mortar crowd. Fun times, right?
But don't worry, all is not lost. This essay is here to give you a reality check and a roadmap. We're going to dive into the key Know Your Customer (KYC) considerations you need to keep in mind when building your platform and onboarding customers. Think of it as a fintech common sense guide – because while fintech might seem easy, staying on the right side of regulations is anything but.
Customer Data and KYC Requirements: The Devil's in the Details
The CBN's Customer Due Diligence (CDD) guidelines are your new best friend, so get ready to become very familiar with them. Treat it like a bible, even.
First up, structured data collection. Every piece of customer information needs to be neatly categorized and easily retrievable. We're talking name, date of birth, address, BVN, NIN - the works.
The CDD guidelines require you to collect and verify:
1. Legal name and any other names used
2. Permanent residential address
3. Telephone number, email address
4. Date and place of birth
5. Nationality
6. Occupation, public position held (if any)
7. A government-issued ID number
Now, you might be thinking, "I'm just dealing with regular people who want to send money." But trust me, before you know it, you'll be eyeing those juicy corporate accounts. So, let's break down the application form requirements by customer type:
1. Individuals: All the basic stuff we mentioned earlier. Simple stuff.
2. Sole Traders: Everything for individuals, plus their business name, nature of business, and TIN. Because apparently, the CBN thinks everyone's registered their side hustle with the government.
3. Corporate Entities: This is where it gets fun. You'll need:
- Registered/business name
- TIN
- Proof of incorporation – the certificate, the particulars of shareholders, the ownership splits
- Address of the registered office
- Identity of all directors
- Nature of business
- Source of funds
And don't forget, for each director and major shareholder, you'll need to collect their individual information too. It's like a Russian nesting doll of KYC!
Address Verification: The Bane of Your Existence
Ah, address verification. In a country where "behind the big mango tree" can be a legitimate address, this is where things get tricky. The CBN wants you to verify addresses, but they're not exactly forthcoming with how to do that digitally.
Let's break down what they're saying in the CDD guidelines:
"FIs shall verify the identity of customers and BOs using reliable, independent source documents, data or information (identification data). FIs shall verify the identity of individuals by confirming the... residential address through physical visitation and use of other sources, including utility bill, tax assessment, bank statement, or letter from a public authority"
Did you catch that? "Physical visitation." Two words that are probably giving you headache right now. If you don’t think so, ask the guys at Kuda, Moniepoint, OPay or PalmPay what happened to them. Let's unpack this:
1. Physical Visitation: Yes, you read that right. The CBN is essentially saying, "Get your digital boots on the ground." This is where being pure digital gets tricky. You don't have branches. You don't have field agents, unless you’re in Agency Banking. Your whole model is based on never having to meet your customers face-to-face. So, what do you do?
Options to consider:
- Partnering with logistics companies or courier services to conduct physical verifications
- Setting up a network of authorized agents who can conduct these visits
- Exploring the possibility of video verification (though be prepared to argue your case with the CBN)
2. Other Sources: The guidelines mention utility bills, tax assessments, bank statements, or letters from public authorities. But notice the word "and" before this list. It's not an "or" situation. The CBN wants both physical visitation and documentary evidence.
For your digital platform:
- Implement robust document upload features
- Use OCR technology to extract and verify information from these documents
- Consider partnerships with utility companies (BuyPower returns the address in the response for electricity top up) or government agencies for direct data verification
3. Reliable and Independent: These words are crucial. The CBN is emphasizing that your verification methods need to be trustworthy and not easily manipulated. This means:
- Your verification process should be standardized and documentable
- Any third-party services you use for verification should be vetted and approved
- You need a clear audit trail of your verification steps
4. Recent Information: While not explicitly stated in this clause, other parts of the CDD guidelines emphasize the need for recent information. Typically, documents should be no more than 3 months old. This means:
- Your system needs to flag when customer address information is outdated
- You should implement periodic re-verification processes
Now, I know what you're thinking. "This is impossible for a digital bank!" And you're not entirely wrong. The CBN's guidelines are clearly written with traditional banks in mind. But here's the thing - until they issue specific e-KYC guidelines, this is what we've got to work with.
So, what's a poor neobank to do? Get creative, but be prepared to defend your methods:
1. Develop a robust risk-based approach. Maybe you only do physical verifications for high-risk customers or large accounts.
2. Invest in cutting-edge verification technologies. Think AI-powered document verification, liveness detection, and geolocation services.
3. Build partnerships. Work with fintech associations to lobby for updated, digital-friendly guidelines.
4. Document everything. Whatever method you choose, make sure you can show a clear, thorough process if (when) the CBN comes knocking.
Remember, the spirit of these guidelines is to ensure you really know who your customers are and where they live. Your job is to figure out how to meet that goal in a digital world. It's not easy, but hey, if it was, everyone would be doing it, right?
Risk Assessment and Classification: Because Not All Customers Are Created Equal
Now that you've collected enough customer data to make Facebook jealous, it's time to put it to good use. Welcome to the thrilling world of risk assessment and classification.
Risk Scoring Engine: Your New Best Friend
First up, let's talk about implementing a risk-scoring engine. This isn't just a fancy term to impress your investors; it's a crucial tool that the CBN expects you to have. Not many banks have this, to be honest. But, when things go south, it's one of the sticks that CBN will use to beat you with.
Your risk-scoring engine should be able to take all that customer data you've collected and spit out a risk classification faster than you can say "compliance." Here's what you need to know:
1. Data Points: Your engine should consider multiple factors, including:
- Customer type (individual, sole trader, corporate)
- Occupation or nature of business
- Source of funds
- Expected account activity
- Geographic location (some states have more propensity for fraud than others, if you know what I mean)
2. Scoring Mechanism: Assign weights to different factors. For example, a customer from a high-risk state might get more points than one from a low-risk state.
3. Risk Categories: Typically, you'll want to classify customers into at least three categories:
- Low Risk
- Medium Risk
- High Risk
4. Automation: Your engine should automatically assign risk scores during onboarding and update them based on account activity.
5. Flexibility: Make sure your engine is flexible enough to adjust as regulations change or new risk factors emerge. Trust me, in this industry, change is the only constant.
Remember, the CBN will want to see the logic behind your risk scoring. So, document your methodology well. You don't want to be caught explaining why you thought Uncle Emeka's yam export business was low risk when the CBN thinks otherwise.
Risk Markers: Red Flags Aren't Just for Bullfights
Now, let's talk about risk markers. These are the red flags that pop up and say, "Hey, pay attention to this account!" Your system should be able to assign and track various risk markers. Here are some examples:
1. High-Risk Occupation: Politicians, arms dealers, cryptocurrency traders (yes, the CBN is still salty about crypto)
2. High-Risk Countries: Countries with weak AML controls or on sanctions lists
3. Unusual Account Activity: Sudden large deposits, frequent high-value transactions
4. Negative News: Adverse media mentions linked to the customer
The implications of these risk markers are significant:
- They affect the customer's overall risk score
- They determine the level of due diligence required.
- They influence transaction monitoring thresholds
- They determine how often you need to review the customer's account (hint: high-risk customers need more frequent reviews)
Make sure your system can not only assign these markers but also alert your compliance team when they pop up. Because nothing says "regulatory nightmare" like missing a high-risk marker.
PEP Identification and Handling: When Your Customer is a Big Shot
Ah, Politically Exposed Persons (PEPs). The VVIPs of the compliance world. Identifying and handling PEPs is so important that the CBN gives it special attention in the CDD guidelines. Here's what you need to know:
1. Identification: Your system should be able to identify PEPs during onboarding and ongoing monitoring. This means:
- Having a comprehensive PEP database (hint: you'll probably need to subscribe to a third-party provider for this)
- Screening customer names against this database
- Allowing for manual flagging of PEPs by your compliance team
2. Risk Classification: PEPs are automatically considered high-risk. No ifs, ands, or buts.
3. Enhanced Due Diligence (EDD): For PEPs, regular due diligence just doesn't cut it. You need to:
- Gather more information on their source of wealth and funds
- Understand their reason for opening an account with your bank
- Get senior management approval for opening or continuing the account
4. Ongoing Monitoring: PEP accounts need more frequent reviews and closer transaction monitoring. Your system should automate reminders for these reviews.
5. Exit Strategy: Have a clear process for what to do if a PEP's risk becomes too high. Sometimes, you need to know when to say goodbye.
Remember, not all PEPs are created equal. A local councillor and the Minister of Petroleum Resources might both be PEPs, but they don't carry the same level of risk. Your system should be nuanced enough to reflect these differences.
By implementing a robust risk assessment and classification system, you're not just ticking a box for the CBN. You're building a foundation for safe and compliant operations. It might seem like overkill now, but trust me, when you're explaining to the CBN why you're not laundering money for international yam cartels, you'll be glad you put in the effort.
This is getting long-winded so let’s call it a day at this point. Stay tuned for Part 2 where we get into the three-tier KYC regime. Fun x3.