Know Your Employee (KYE) is the internal counterpart to know your customer, applying the same risk-based verification logic to the people inside your organization. For payment businesses and ecommerce merchants, employees with access to transaction systems, customer data, or financial controls represent a material insider threat that external fraud controls alone cannot address. Treating employees as a trusted category by default—without verification or ongoing oversight—is one of the most common and costly compliance gaps in the payment industry.
How Know Your Employee (KYE) Works
A KYE program spans the entire employee lifecycle, from candidate screening before an offer is extended to continuous monitoring throughout employment and a structured off-boarding process that revokes access cleanly. The goal is to ensure that only verified, appropriately vetted individuals hold access to sensitive payment infrastructure and financial data.
Pre-Employment Background Screening
Before a candidate joins, verify identity documents, check criminal history, validate employment history, and screen against global sanctions and watchlists. For roles with payment system access, include credit history checks where legally permitted. All findings should be documented and reviewed by a compliance officer before a hiring decision is finalized.
Onboarding Due Diligence
Collect conflict-of-interest declarations and financial disclosure forms for relevant roles, and conduct structured reference checks focused on integrity. Assign system access strictly according to the principle of least privilege—no employee should receive permissions beyond what their specific role requires on day one.
Privileged Access Review
Map which employees hold elevated access to payment routing, refund processing, credential management, or financial reporting. Conduct quarterly access recertification reviews so that permissions granted during onboarding do not persist beyond their justification. Revoke access that can no longer be tied to a current business need.
Ongoing Behavioral and Transaction Monitoring
Use system audit logs, anomaly detection tools, and HR signals to flag unusual behavior—bulk data exports, off-hours logins, atypical transaction approvals, or lifestyle changes inconsistent with compensation. Route alerts into a structured case management workflow with defined escalation paths rather than treating them as informal observations.
Periodic Re-Screening and Off-Boarding
Re-screen employees annually or upon role changes that elevate their access level. At separation, revoke all credentials immediately and recover company assets before the final day. Conduct an exit interview to surface any compliance concerns, and verify that no unauthorized data was exfiltrated in the weeks before departure.
Why Know Your Employee (KYE) Matters
Insider threats are consistently underweighted relative to their actual financial impact. Organizations concentrate compliance budgets on external fraud vectors while employees with privileged access often face less scrutiny than the customers they serve. The business case for KYE is driven by hard data, not precaution.
According to the ACFE 2022 Report to the Nations, organizations lose an estimated 5% of annual revenues to occupational fraud, with a median loss of $117,000 per case—rising to $800,000 for schemes that run longer than five years. IBM's 2022 Cost of Insider Threats global report found the average annual cost of insider-related incidents reached $15.4 million per organization, a 34% increase from 2020. PwC's Global Economic Crime and Fraud Survey found that internal actors were responsible for 31% of reported fraud incidents, making employees one of the most significant fraud vectors in financial services.
For payment merchants, the stakes are compounded by regulatory requirements. PCI DSS Requirement 12.7 mandates background checks for personnel with access to cardholder data environments. Failure to implement anti-money laundering internal controls that include employee oversight can trigger regulatory sanctions independent of whether any fraud has actually occurred.
Regulatory Baseline
PCI DSS Requirement 12.7 mandates that organizations screen potential personnel prior to hire to minimize the risk of attacks from internal sources. AML regulations in most jurisdictions require documented internal controls over staff with access to financial systems—KYE provides that documentation trail.
Know Your Employee (KYE) vs. Know Your Customer (KYC)
KYE and KYC share the same underlying logic—verify who you are dealing with and continuously assess their risk—but they operate in opposite directions. KYC targets the external parties your business serves; KYE targets the internal parties who operate your business. Understanding the distinction matters because the tools, workflows, and regulatory mandates are materially different for each.
| Aspect | KYE | KYC |
|---|---|---|
| Subject | Employees, contractors, internal staff | External customers and end-users |
| Primary goal | Detect insider threat, prevent internal fraud | Verify identity, prevent financial crime |
| When applied | Pre-hire, onboarding, and continuously | Account opening and ongoing due diligence |
| Regulatory driver | AML internal controls, PCI DSS, labor law | AML/CFT regulations (FinCEN, FATF, FCA) |
| Key tools | Background checks, access audits, behavioral monitoring | ID verification, sanctions screening, risk scoring |
| Consequence of failure | Internal fraud loss, regulatory sanction, reputational damage | Regulatory fine, customer fraud liability |
Both programs are complementary pillars of a coherent compliance architecture. A strong know your business program vets your merchant partners; KYC vets your customers; KYE vets the people running the operation. Gaps in any one layer create exploitable exposure across the others.
Types of Know Your Employee (KYE)
KYE is not a single process applied uniformly. Different employee populations and risk profiles call for different screening depths and monitoring cadences. A well-structured program segments employees into risk tiers and applies proportionate controls at each level.
Pre-Employment Screening is the baseline layer applied to all candidates. It confirms identity, checks criminal records, validates academic and professional credentials, and screens against global sanctions and adverse media sources.
Enhanced Due Diligence for High-Risk Roles applies to employees in finance, payment operations, IT administration, and executive positions. It includes credit history review, deeper reference interviews, and in some jurisdictions, disclosure of outside business interests or personal financial liabilities that could create conflicts.
Privileged Access Vetting targets individuals who hold elevated permissions within payment systems—such as the ability to approve refunds above a defined threshold, modify routing rules, or access raw transaction data. These employees undergo more frequent re-certification and tighter behavioral monitoring than the general workforce.
Ongoing Behavioral Monitoring is continuous rather than periodic. It uses SIEM (Security Information and Event Management) tools, transaction monitoring systems, and HR analytics to flag deviations from an established behavioral baseline in near real time.
Periodic Re-Screening is triggered either by calendar—typically annually—or by event: a promotion, a role change, a compliance incident, or a flag raised during behavioral monitoring. It ensures the risk profile captured at hire remains current as the employee's circumstances and access evolve.
Best Practices
KYE effectiveness depends on consistent implementation across the organization, supported by clear policy and the right technical controls. The requirements differ depending on whether you are operating the compliance program at a business level or building the infrastructure that enables it.
For Merchants
- Segment employees by risk tier. Not every employee needs the same depth of vetting. Map roles to risk levels and apply screening proportionately—higher system access means higher scrutiny, with documented justification for every access grant.
- Enforce least-privilege access. No employee should hold system permissions beyond what their current role requires. Review and trim access quarterly, and automate de-provisioning when roles change.
- Integrate KYE with your internal fraud program. KYE screening and behavioral monitoring should feed into the same case management and escalation workflow as external fraud alerts, not operate as a separate HR function with no connection to financial controls.
- Document every decision. Maintain auditable records of every screening result, access grant, re-certification, and alert review. Regulators will request this documentation during examinations, and gaps will be treated as failures of the program rather than failures of record-keeping.
- Cover contractors and managed service providers. Extend KYE requirements contractually to any third party whose personnel access your payment systems or customer data. Treat third-party personnel as equivalent to direct employees in terms of access risk.
For Developers
- Build audit logging from day one. Every action within a payment system should be logged with user identity, timestamp, source IP, and action detail. Logs should be immutable, centralized, and retained for a minimum of 12 months to support forensic review and regulatory requests.
- Implement role-based access control with automated provisioning. Tie access grants to HR system role data so that when an employee's role changes, their permissions update automatically without requiring a manual IT ticket.
- Surface behavioral anomalies via alerting pipelines. Define baseline behavioral profiles per role and route deviations to a compliance review queue. Anomaly detection should be proactive, not reliant on a human reviewing logs after the fact.
- Build off-boarding automation. When an HR termination event fires, credential revocation should be automatic and immediate. A manual process that depends on someone remembering to file a ticket creates a window of unauthorized access between the final working day and actual revocation.
Common Mistakes
KYE programs frequently fail not because organizations skip screening entirely, but because they implement it inconsistently or treat it as a one-time event rather than an ongoing discipline.
1. Treating screening as a single point-in-time event. Pre-employment checks capture risk at hire. An employee who was low-risk in year one can become high-risk in year four due to financial stress, a change in personal circumstances, or gradual normalization of minor policy violations. Without ongoing monitoring, these shifts go undetected until after significant harm has occurred.
2. Excluding contractors and third parties. Insiders include anyone with legitimate access to your systems. Restricting KYE to direct employees leaves a gap that threat actors and opportunistic contractors can exploit. Third-party personnel often receive less organizational scrutiny precisely because they are not on the direct payroll.
3. Inconsistent application across geographies. Multinational organizations often apply rigorous screening in their home market and minimal checks in other regions. Inconsistency creates exploitable weak points and undermines the program's regulatory defensibility when examiners ask for evidence of uniform global standards.
4. No separation of duties within the KYE program itself. The team conducting employee screening should not report to the same function they are screening. Compliance and HR should have independent oversight roles, and final screening decisions should require sign-off from a party with no personal interest in the hiring outcome.
5. Building monitoring infrastructure without case management capacity. Behavioral monitoring generates value only when alerts lead to investigation. Organizations that deploy detection tooling but lack the workflow or staffing to follow up on flags gain false assurance without genuine risk reduction. This is the employee due diligence equivalent of running identity checks and ignoring the matches.
Know Your Employee (KYE) and Tagada
Payment orchestration platforms like Tagada sit at the center of a merchant's payment stack—routing transactions, managing provider connections, and holding configuration data that directly controls where money flows. That position makes internal access controls especially consequential: an employee with the ability to modify routing logic, approve exceptions, or manage API credentials can cause significant financial harm if they have not been properly vetted and are not subject to ongoing monitoring.
If you use Tagada to orchestrate payments, apply KYE principles to every team member with admin access to your Tagada instance—particularly anyone who can modify routing rules, view raw transaction data, or manage provider credentials. Treat this access tier as equivalent to direct access to your financial systems and apply enhanced due diligence and quarterly access recertification accordingly.
Tagada's audit logging capabilities support KYE programs by generating the access and transaction records that compliance teams need for behavioral monitoring and regulatory examination. Map those logs into your SIEM or compliance tooling to close the loop between your KYE policy and the operational controls that make it enforceable.