Glossary

KYC (Know Your Customer)

Fourthline Forrester TEI thumbnail The Fourthline Team · May 20, 2025

What is KYC (Know Your Customer)?  

Know Your Customer (KYC) refers to a framework of measures for verifying the identities of customers, assessing their risk profiles, and understanding the nature and purpose of their financial activities.  

KYC is a mandatory regulatory practice for financial institutions like banks, brokers, and investment firms. Certain other industries may also be subject to KYC requirements depending on the jurisdiction. 

KYC typically involves multiple procedures, such as a Customer Identification Program (CIP), Customer Due Diligence (CDD), and ongoing monitoring or Enhanced Due Diligence (EDD). 

The origins of modern KYC regulations can be traced back to the US Bank Secrecy Act (BSA) of 1970. Today, KYC remains integral to anti-money laundering (AML) compliance, helping organizations detect suspicious activities and prevent financial crimes. 

What are the requirements for a KYC program? 

A robust KYC program generally includes three core elements: a Customer Identification Program (CIP), Customer Due Diligence (CDD), and, for higher-risk customers, Enhanced Due Diligence (EDD). 

But an effective KYC framework also demands a broader compliance infrastructure. This includes thorough recordkeeping, staff training, internal audits, and in some cases, the use of automated KYC tools to enhance efficiency and consistency.  

While KYC itself focuses on customer identity and risk profiling, it's usually integrated into a wider AML program that requires other obligations, such as the timely reporting of suspicious activity to authorities. 

Customer Identification Program (CIP)  

The CIP aims to ensure that only legitimate customers gain access to financial services. In the US, the CIP rule requires financial institutions to obtain at least four key pieces of identifying information from individual customers: 

  • Full name 

  • Date of birth 

  • Residential or business Address 

  • Identification number of a government-issued ID (e.g., ID card, driver’s license, or passport) 

The organization must then verify the information using risk-based procedures, which may include requesting additional documentation (e.g., utility bills).  

For corporate clients, institutions may require documentation such as business registration certificates to verify the entity’s legal name, address, and ownership or control structure — including identification of beneficial owners where required. 

Aside from the documentary-based methods, many institutions also rely on non-documentary verification, such as contacting the customer directly or cross-referencing information against government lists and public databases. 

Customer Due Diligence (CDD)

CDD builds on the information collected during the CIP to assess the customer’s risk level and determine the appropriate level of monitoring. The process may involve collecting additional information about the customer’s financial history, source of funds, activities, and the purpose of specific transactions. 

The goal of CDD is to obtain enough information to understand the customer’s financial behavior, assess their risk profile, and ensure the institution can effectively monitor for suspicious activity. Standard CDD is typically sufficient for customers who pose a low risk of money laundering or terrorist financing, though high-risk customers may trigger Enhanced Due Diligence (EDD) requirements. 

Enhanced Due Diligence (EDD) 

EDD is a set of intensified measures that apply to high-risk customers flagged during CDD. It aims to manage the elevated risks identified during standard due diligence. 

EDD involves more detailed background checks, verification of the source of funds and wealth, and heightened scrutiny of transactions. The financial institution might need to collect additional documentation such as bank statements, business records, tax filings, or even affidavits confirming the legitimacy of a customer’s wealth. 

If a high-risk customer is onboarded, EDD becomes an ongoing process, with the institution continuously monitoring their transactions and behavior. Upon identifying suspicious activity or transactions from high-risk clients, financial institutions file Suspicious Activity Reports (SARs) with the relevant governing authorities. 

How does the KYC process work? 

KYC is applied throughout the entire customer lifecycle, starting before account opening and continuing throughout the customer relationship through periodic reviews and ongoing due diligence (also known as re-KYC). 

A standard KYC process includes the following steps: 

  1. Customer identification: Collection of personal data, including name, date of birth, address, and ID number. 

  2. Identity verification: Confirming that the customer’s personal information is authentic through documentary and non-documentary methods. 

  3. Risk assessments: Evaluating the customer’s potential exposure to financial crime based on factors such as their geographic location and transaction behavior. As part of this step, institutions screen customers against sanctions lists and politically exposed person (PEP) lists. High-risk individuals or entities are requested to provide additional documentation to verify the source of funds, ownership structure, and other information. 

  4. Ongoing monitoring: The financial institution continuously tracks customers’ activities to detect anomalies, suspicious transactions, and unusual behavioral patterns that may indicate money laundering or fraud. 

  5. Regulatory reporting and recordkeeping: If compliance teams spot suspicious activities, they must file a SAR with the governing regulatory body. Institutions must also maintain records of customer identification, due diligence efforts, and transaction history for compliance audits for a duration mandated by the respective regulator. 

Risk factors 

To evaluate the risk profile of the existing or prospective customer and confirm whether it is safe to do business with them, institutions might consider: 

  • If the company or individual is based in a jurisdiction identified as high risk due to weak AML regimes, high levels of corruption, or geopolitical instability. 

  • If the individual or the executives associated with the company are present on PEP databases or criminal registries. 

  • If the individual or organization is sanctioned for engaging in illegal activities such as money laundering, terrorism financing, drug trafficking, or human rights violations. 

  • Assessing the risk profile of any individuals listed as directors, shareholders, or who qualify as ultimate beneficial owners (UBOs) — typically individuals with 25% or more ownership or control of the entity. 

  • If the company’s business is mainly cash-based or part of an industry known for high money laundering risk. 

Which businesses need KYC? 

Banks, fintechs, investment firms, and insurers were among the first sectors legally required to implement KYC programs. However, today, KYC procedures aren’t exclusively limited to the financial sector.  

In jurisdictions aligned with Financial Action Task Force (FATF) Recommendations, businesses known as “obliged entities” are required by law to implement KYC procedures. These include: Financial institutions, such as... 

Non-financial businesses and professions, such as... 

  • Real estate agencies 

  • Casinos and sports betting platforms 

  • Law firms handling financial transactions 

  • Accounting and auditing firms involved in financial reporting 

  • High-value goods dealers 

Some businesses that aren’t strictly required to implement KYC — such as telecommunications or car rental companies — may decide to voluntarily adopt KYC measures to protect against liability for financial crime. 

What are KYC documents? 

While the exact list of required KYC documents may differ by jurisdiction and entity type, customers generally must provide proof of their identity, residence, and source of funds.  

For individual customers, the required documents might include: 

  • A government-issued ID (passport, national ID card, or driver’s license) 

  • Proof of address (utility bill, bank statement, or lease agreement) 

  • Source of funds (tax return forms, income statements, or other source of wealth documentation) 

  • Some jurisdictions also require a national identifier, such as a Tax Identification Number (TIN) or Social Security Number (SSN). 

Corporate customers are typically asked to provide: 

  • Proof of legal formation (certificate of incorporation, business registration documents, and articles of association) 

  • Ownership and control structure (details of directors, officers, and ultimate beneficial owners [UBOs]) 

  • Tax identification numbers 

  • Proof of business address (utility bills, tax filings, or lease agreements) 

The technology behind KYC checks 

To verify the identity of a prospective or existing customer, KYC software solutions may apply various automated security procedures. 

These are enabled by various technology-driven security advancements, such as using automated AI-powered risk scoring models for dynamic assessment of customer profiles. KYC checks may also be strengthened by biometric authentication, such as liveness checks, facial recognition, and fingerprint scanning. 

Other technological advancements that help improve fraud detection accuracy include using machine learning algorithms to identify selfie video tampering and using device geolocation to confirm proof of address.  

Many KYC technologies allow for fast or even near-instant identity verification through automation. But higher-risk profiles still often require manual review or the approval of a compliance officer to meet regulatory obligations. 

KYC FAQs   

How long does the KYC process take? 

For prospective customers that pose low risk, automated and/or AI-driven KYC solutions can complete the process in just a couple of minutes. For low-to-moderate-risk customers, the procedure can take several days. Individuals or organizations deemed high-risk must undergo manual reviews and Enhanced Due Diligence, which might take a few weeks. 

Do KYC requirements vary by country? 

Since many jurisdictions have based their KYC requirements on the global FATF Recommendations, similarities exist. But KYC requirements do tend to vary by country. The differences can relate to factors such as which businesses must comply with KYC laws, which customer documents are required, and how the information is stored. 

How often does KYC information need to be updated?  

Financial institutions might request periodical updates of KYC information (known colloquially as re-KYC), with the frequency depending on customer risk levels and regulatory requirements. Low-risk customers may require updates every two to five years, for example. For high-risk customers, the periodical KYC checks are more frequent. 

What are the risks and penalties for KYC non-compliance? 

KYC non-compliance can have serious repercussions for financial institutions, including fines, license revocation, and even imprisonment. Doing business with criminals and enabling money laundering also makes institutions subject to increased reputational damage, eroded customer trust, and financial losses.