Know Your Customer (KYC): Definition and Use in Compliance

**

What is Know Your Customer (KYC)?

Know Your Customer (KYC) is a regulatory compliance process that requires financial institutions to verify the identity of their customers, assess financial crime risk, and monitor account activity on an ongoing basis. Banks, payment firms, insurers, and securities dealers are all subject to KYC requirements in most jurisdictions, though the depth of those requirements varies by industry and by the risk profile of the customer relationship.

KYC breaks into three sequential obligations. Identification comes first: before accepting a customer, the institution must verify who they are. A retail bank collects a government-issued ID and proof of address. A private bank onboarding a high-net-worth client may also require certified documents and a source-of-wealth statement. Risk assessment follows. The institution scores the customer based on country of residence, occupation, product type, and expected transaction volumes. That score determines which tier of due diligence applies.

Customer Due Diligence (CDD) is the baseline and applies to most customers. Higher-risk relationships require Enhanced Due Diligence (EDD), which adds senior management approval, deeper source-of-funds documentation, and more frequent periodic review. In narrow, low-risk categories, regulators allow Simplified Due Diligence (SDD), which reduces the documentation burden without eliminating verification entirely.

The third obligation is ongoing monitoring. A customer who passed KYC at onboarding is still a risk. Transaction patterns change. People get added to sanctions lists. Account activity at month 36 may look nothing like the expected profile from month one. Continuous monitoring is what catches that drift. When it produces a red flag, compliance teams review the account, update the risk rating, request fresh documentation if needed, and file a Suspicious Activity Report (SAR) with the relevant authority if the activity warrants it.

How is Know Your Customer (KYC) used in practice?

In a retail bank, KYC starts at account opening. An applicant submits ID; the system checks it against document verification databases, screens the name against OFAC, HMT, and UN sanctions lists, and runs a PEP check. In automated onboarding flows, this takes under two minutes. When the risk scoring engine flags something, the case drops into a manual review queue for an analyst.

The risk score drives everything downstream. A customer scoring low gets standard periodic review, typically annual. A customer flagged medium or high goes to the analyst team for a fuller file review. That file must answer specific questions: What is the source of funds? What is the expected transaction activity? Does account usage match what the customer stated at onboarding?

For corporate customers, KYC extends into Know Your Business (KYB), which means tracing ownership to the Ultimate Beneficial Owner (UBO), any natural person who ultimately owns or controls more than 25% of the entity (10% in higher-risk cases). Complex ownership chains through multiple jurisdictions slow this process considerably. We've seen cases where a single corporate KYC file ran to 200 pages before an analyst could confirm the final ownership structure.

Ongoing monitoring is the continuous layer. Transactions are screened in real time or near real time. Unusual patterns, large cash deposits, wire transfers to high-risk jurisdictions, or structured transactions just below reporting thresholds all generate alerts. Analysts triage those alerts daily. The ones that hold up under scrutiny become Suspicious Activity Reports (SARs) or Suspicious Transaction Reports (STRs), depending on jurisdiction. Large cash transactions above statutory thresholds, regardless of whether they appear suspicious, require a Currency Transaction Report (CTR) in the US.

Know Your Customer (KYC) in regulatory context

KYC requirements trace to FATF Recommendation 10, which obligates countries to require financial institutions to identify and verify the identity of customers. The FATF Forty Recommendations are the global standard; over 200 jurisdictions have committed to implementing them, and FATF's mutual evaluation process holds countries accountable for doing so.

In the United States, the primary instruments are the Bank Secrecy Act and FinCEN's Customer Due Diligence Final Rule, effective May 2018. The CDD Rule added a fourth explicit element to what banks must collect at account opening: beneficial ownership of legal entity customers. Any company opening a business account must now disclose natural persons owning 25% or more. FinCEN makes clear this is a floor; banks can and should apply stricter thresholds for high-risk sectors.

In Europe, the Anti-Money Laundering Directives set requirements that member states translate into national law. The Fifth AMLD introduced public beneficial ownership registers and tightened rules on high-risk third countries. The UK's Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017, updated post-Brexit, sets out equivalent CDD obligations including specific EDD triggers.

Regulators enforce KYC failures aggressively. BNP Paribas paid $8.9 billion to US authorities in 2014 for sanctions violations tied to inadequate customer screening. HSBC paid $1.9 billion in 2012 following findings of systemic AML failures. The Basel Committee on Banking Supervision warned in 2001 that inadequate KYC programs expose banks to reputational, operational, legal, and concentration risk. Those warnings have proven accurate many times over.

Common challenges and how to address them

KYC has three recurring operational problems: data quality, false positive volume, and refresh backlogs.

Data quality comes first. Customer records frequently arrive with inconsistent name spellings, transliterations from non-Latin scripts, and outdated addresses. Screening engines are sensitive to these variations; a mismatch between "Mohamed" and "Mohammed" can generate a false sanctions hit. Institutions address this by standardizing data at intake, using fuzzy-matching logic calibrated to acceptable thresholds, and maintaining clear escalation rules for edge cases where an analyst must make the final call.

False positives are the volume problem. A large bank running automated transaction monitoring might generate 50,000 alerts per month, of which fewer than 5% result in an actual SAR filing. Analysts spend most of their time clearing noise. Better outcomes come from tuning detection models against actual SAR outcomes, segmenting customers by product type and geography, and building risk typologies from the institution's own historical data rather than generic red flags copied from regulatory guidance.

Refresh backlogs are the chronic problem. Banks have run up KYC remediation backlogs of 30,000 or 40,000 files, with customers due for periodic review untouched for two or three years. Regulators have imposed consent orders and new business restrictions for exactly this failure mode. Fixing it requires ruthless prioritization by risk tier: clear high-risk accounts first, then medium, then standard. Automated document collection outreach cuts analyst time per file significantly.

Proportionality is the fourth challenge. Applying EDD-depth processes to low-risk retail customers wastes resources and creates friction that drives customers to less regulated alternatives. Risk-based approaches, where process depth scales with actual risk indicators, produce better compliance outcomes than treating every customer identically.

Related terms and concepts

KYC sits within a broader compliance framework. Understanding how adjacent terms fit together matters for anyone building or auditing a compliance program.

Customer Due Diligence (CDD) is the formal regulatory term for the process KYC describes. KYC is the operational language; CDD is the legal language. FinCEN's CDD Final Rule and FATF Recommendation 10 both use "customer due diligence" as the governing term, but compliance teams, vendors, and technology platforms use "KYC" interchangeably. They're the same thing.

When the customer is a business rather than an individual, KYC becomes Know Your Business (KYB). KYB adds requirements that don't exist for natural persons: registrar filings, ownership charts, and identification of Ultimate Beneficial Owners (UBOs). The Beneficial Owner definition varies slightly by jurisdiction, but the principle is consistent: trace to the natural persons who actually own or control the entity, past any layers of corporate structure.

When KYC monitoring surfaces suspicious behavior, the output is a filing with the financial intelligence unit. In the US, that's a Suspicious Activity Report (SAR). In many other jurisdictions, it's a Suspicious Transaction Report (STR). Large cash transactions above statutory thresholds require a Currency Transaction Report (CTR) regardless of whether the underlying transaction looks suspicious.

The depth of KYC scales with assessed risk. Standard customers receive baseline Customer Due Diligence (CDD). Politically exposed persons, customers in high-risk jurisdictions, and relationships with complex ownership structures require Enhanced Due Diligence (EDD). Certain narrow, demonstrably low-risk product categories permit Simplified Due Diligence (SDD). Choosing the wrong tier in either direction, applying EDD to a standard retail customer or SDD to a high-risk one, is itself a compliance failure.

**