LibraryKYC hubKYC guidesWhat is KYC in banking?

What is KYC in banking?

As well as being critical for assessing customer risk, KYC procedures are a legal requirement for banks and financial institutions that must comply with anti-money laundering (AML) laws.

Header image
April 6, 2023

KYC stands for know your customer. The associated standards are designed to protect financial institutions against fraud, corruption, money laundering, and terrorist financing.  

In banking, KYC involves three key steps:

  • Establishing the identity of the customer
  • Understanding the nature of that customer’s activities and their source of funds or wealth
  • Assessing the money laundering risk associated with that customer

As well as being critical for assessing customer risk, KYC procedures are a legal requirement for banks and financial institutions that must comply with anti-money laundering (AML) laws.

To help you learn more about the KYC process, we’ve put together this guide that includes all the latest guidance. We’ll look at exactly why KYC is so important, the steps you need to take, and how our solutions can help you.

Why is KYC important?

By law, all financial institutions are required to know their customers. If a financial institution fails to verify the identity of a customer and that customer goes on to commit a financial crime such as money laundering or terrorist financing, then the bank can face fines, sanctions, and reputational damage.

On top of this, effective KYC processes can also protect a bank from fraud and losses that are associated with illegal funds and transactions. This is because the process has been specifically designed to help prevent banks and other financial services from being used for money laundering.

The KYC advantages a bank experiences are numerous. Not only do these procedures ensure that bad actors cannot exploit their services, but they also help enhance the bank’s reputation and save them money. 

However, that isn’t to say that KYC disadvantages don’t exist. After all, if they’re not properly implemented, then KYC processes can be burdensome and off-putting for some customers. That said, KYC processes are mandatory, and you must ensure that you have the correct checks in place before you allow a customer to access your services.

KYC compliance

In order to ensure KYC compliance, you must establish the customer’s identity, understand the nature of that customer’s activities, and assess the level of risk they pose. To do this, your KYC program must include the following three steps:

Customer identification program (CIP)

Before a customer is allowed to open an account, their identity must be established and verified. At a minimum, the bank should ask the customer for their:

  • Name
  • Date of birth
  • Address

Once a customer has provided this information, they must then supply the bank with a government-issued identity document that confirms the accuracy of this information. The bank can then verify that this document is accurate by checking with third-party databases.

On top of this, the latest KYC guidance says that banks must ask the customer to supply a selfie. Using biometric authentication techniques, the bank can then verify that the person providing the information is also the owner of the identity, rather than a fraudster who has stolen that information.

Customer due diligence

Following this, the bank must then perform customer due diligence (CDD) checks. There are three possible levels:

  • Simplified due diligence (SDD)
  • Customer due diligence (CDD)
  • Enhanced due diligence (EDD)

Each of these forms of due diligence is more onerous than the last. While simplified due diligence processes are reserved for extremely low-risk customers, enhanced due diligence processes are often used for incredibly high-risk customers, such as politically exposed persons or someone who is the subject of sanctions. 

During the due diligence process, KYC guidance states that the bank must ascertain the identity and the location of the customer. They must also develop an understanding of their business activities.

Using this information, the bank can then classify the customer’s risk category before storing this information and any additional documentation digitally. Keeping records of CDD and EDD checks performed on each customer is necessary in case of a regulatory audit.

Once due diligence has been carried out and the bank is fully aware of the level of risk a customer poses, they can then be onboarded (or rejected if the risk level is too high).

Ongoing monitoring

Although KYC is a vital part of the onboarding process, customers must also be monitored on an ongoing basis to ensure AML compliance. Due to this, when devising your KYC process, you should also put provisions in place that ensure you have an oversight of each customer’s financial transactions and activities. You must then continually check that these are in keeping with that customer’s risk profile. If not, then you may be required to file a suspicious activity report (SAR).

Anti-money laundering laws

Anti-money laundering laws vary around the world and each country has its own regulations in place. However, the Financial Action Task Force (FATF), which is an intergovernmental organization, provides regularly updated guidance for both KYC and AML. To date, more than 190 countries follow FATF guidance.

In the United States, the main AML legal authority is the Financial Crimes Enforcement Network (FinCEN), which is a bureau within the US Department of Treasury. In the UK, the main financial services regulator is the Financial Conduct Authority.

AML policies worldwide

In order to achieve KYC and AML compliance, a bank must ensure that it’s following the law in its jurisdiction. As mentioned, this is because AML laws vary on a country-by-country basis.

In the US, firms must comply with the Bank Secrecy Act 1970 and the USA Patriot Act 2001. Although these are the two key pieces of AML legislation, firms must also be familiar with other important AML regulations, including:

  • Money Laundering Control Act 1986
  • Money Laundering Suppression Act 1994
  • Money Laundering and Financial Crimes Strategy Act 1998
  • Suppression of the Financing of Terrorism Convention Implementation Act 2002
  • Intelligence Reform and Terrorism Prevention Act 2004

Meanwhile, in Europe, KYC and AML are governed by the AMLD regulations. Unsurprisingly, the UK’s AML regulations are similar to Europe’s. The relevant laws in the UK include the Proceeds of Crime Act 2002, the Terrorism Act 2000, and the Money Laundering, Terrorist Financing and Transfer of Funds 2017.

While the UK left the EU on January 31, 2020, it also remains committed to transposing the AML/CFT standards set out in the EU’s 5th and 6th anti-money laundering directives (AMLD).

What are some examples of money laundering?

Money laundering is a serious financial crime that involves attempting to make money generated from criminal activities appear legitimate.

Criminals will use a variety of techniques when attempting to launder money, including:

  • Using a legitimate, cash-based business that is owned by a criminal organization
  • Smurfing (breaking up large chunks of cash to avoid detection)
  • Using cash smugglers or mules to take cash across a border and conceal it in a foreign account
  • Investing in commodities that can be moved to other jurisdictions
  • Investing in and selling valuable assets such as real estate, cars, and boats
  • Gambling and laundering money at casinos
  • Counterfeiting
  • Using shell companies

KYC guidance

To help make sure your organization is compliant and has the correct risk management strategies in place, we’ve put together the following pieces of KYC guidance, which can be used as a KYC checklist.

Ensure customer risk profiles fit with your policies

Accurately assessing the level of risk a customer poses is a cornerstone of effective KYC. To do this, you need to understand everything you can about the identity of your customer. Due to this, you should check their:

  • Full name and address
  • Government-issued ID
  • Whether their selfie matches their ID
  • The nature of the intended relationship
  • Whether the customer appears on any sanctions lists, blacklists, or politically exposed persons lists

Using this information, you can build an overview of the risk profile of the client and establish whether they would be an acceptable fit for your business.

Utilize third-party databases

To help fully and accurately establish the level of risk a customer poses, you must access third-party databases, such as government databases, the database of a financial institution, or a UBO database. This will help you build a rounded view of the client and can be used to verify the information they’ve provided.

Establish the form of due diligence required

Once you’ve gathered and analyzed the data provided by the client and checked this information against third-party databases, you will have a good understanding of the level of CDD required. Remember, your options are:

  • Simplified due diligence
  • Customer due diligence
  • Enhanced due diligence

The higher the level of risk the customer poses, the more stringent your due diligence checks should be. Any customer that appears on a watchlist should be subjected to enhanced due diligence checks.

Make a record of checks

Now you know the exact level of risk a customer poses and can make a decision about whether they can be onboarded.

Once this decision has been made, you must keep a copy of all the CDD records you created during the due diligence process. These can be used to show regulators that your business is doing everything it can to reduce the risk of money laundering, in case there’s an audit or investigation.

The record should show the trail of research you carried out and the reasons why you took the decisions you did. It should then be secured safely and in a way that’s compliant with record-keeping regulations, such as GDPR in the EU.

Set procedures in place for ongoing monitoring

Finally, you must remember that KYC is part of an effective AML strategy, which does not end when the customer has opened an account. Due to this, you must put procedures in place for ongoing monitoring. These should allow you to monitor account activities and unusual transactions. Plus, you should also continue to monitor sanctions lists and watchlists, in case the customer’s risk profile changes.

Follow these KYC process steps and you’ll gain a deeper understanding of your customers, and ensure that you’re continually meeting regulatory requirements.

Where is Veriff in the KYC industry?

Here at Veriff, we’ve developed a class-leading AML and KYC compliance solution that can help you show regulators that you take financial crime and compliance seriously.

Firstly, our solution helps you confirm the identity of your customer. Thanks to accurate and automated decision-making, it has never been easier to verify a customer’s identity. All they need to do is provide some basic information, a photo of their government-issued document, and a quick selfie. This process immediately stops fraudsters from attempting to access your services.

Once a customer’s identity has been verified, our solution then screens that customer against politically exposed persons and sanctions watchlists, which are updated in real-time. It also checks for adverse information and negative media, which may reveal predicate offences.

With all this information, a decision regarding onboarding can then be made. But, here at Veriff, we understand that political and regulatory environments change very quickly. Thankfully, with the help of real-time data, you can continually screen your customer lists and receive ongoing monitoring of PEP watchlists, global sanctions lists, and adverse media. You’ll also be notified if something changes with any of your existing or previously onboarded customers.

Interested in hearing more about how our AML and KYC compliance solution can help your business? Talk to our KYC experts today.


To help provide you with even more KYC guidance, below we’ve answered a number of popular customer questions about KYC and AML.

What is KYC?

KYC stands for know your customer. It’s a mandatory process that involves identifying and verifying the client’s identity before they open an account. The process also involves determining the level of money laundering risk the client poses. Once the client’s identity has been verified and their risk tolerance has been calculated, they can open an account. AML laws state that they then must be monitored on an ongoing basis.

What are KYC norms?

As KYC is a regulatory requirement, banks and financial institutions must follow set norms, including a:

  • Customer identification program
  • Customer due diligence process
  • Ongoing monitoring

By carrying out these processes, a bank can establish and verify the identity of the customer, accurately determine the level of risk they pose, and continually check for signs of criminal activity.

Why is KYC important?

KYC is important because it protects financial institutions from being exploited by criminals who are attempting to launder money. KYC is also a legal requirement and if banks fail to understand who their customers are and the risk they pose, they will be liable for huge fines and face vast amounts of reputational damage.

What’s the difference between KYC and AML?

Broadly speaking, AML refers to all efforts involved in preventing money laundering, including verifying customer identities, stopping known criminals from becoming customers, and monitoring transactions. Due to this, AML is an umbrella term.

On the other hand, KYC specifically refers to the customer identification and screening process, which helps businesses understand the risk each customer poses.