How KYC Works
KYC is not a single check but a structured process that moves from initial identity collection through risk assessment to ongoing monitoring. Most regulated programs follow a four-step cycle that repeats whenever a customer's risk profile changes materially.
Customer Identification
The business collects identifying information from the customer: full legal name, date of birth, address, and a government-issued ID number. For individuals this is typically a passport, national ID card, or driver's license. For businesses, incorporation documents and a list of beneficial owners who hold more than 25% ownership are required.
Identity Verification
Collected information is verified against authoritative sources. In-person programs check physical documents; digital programs use OCR to extract data from ID photos, facial recognition to match selfies against ID images, and database lookups against government registries, credit bureau records, and global watchlists. Liveness detection prevents spoofing with static photographs.
Risk Assessment
Once identity is confirmed, the customer is assigned a risk tier. Low-risk customers (domestic, low transaction volume, established businesses) receive simplified checks. Standard customers undergo baseline customer due diligence. High-risk customers — those in sanctioned jurisdictions, politically exposed persons (PEPs), or those transacting in high-risk product categories — require enhanced due diligence including source-of-funds documentation and senior management approval.
Ongoing Monitoring
KYC onboarding is not a one-time event. Businesses must continuously monitor customer transactions for activity that is inconsistent with the stated purpose of the relationship. Unusual transaction patterns, changes in ownership structure, and new sanctions list matches all trigger re-verification. Many programs also require periodic full re-KYC on a scheduled basis — typically every one to three years depending on risk tier.
Suspicious Activity Reporting
When monitoring identifies potentially suspicious activity, the compliance team files a Suspicious Activity Report (SAR) with the relevant financial intelligence unit — FinCEN in the US, NCA in the UK, or the equivalent national authority. Filing a SAR is mandatory and carries strict confidentiality requirements: the business cannot tip off the subject of the report.
Why KYC Matters
KYC requirements exist because financial crime is expensive — not just for the institutions that facilitate it, but for the merchants caught in the crossfire of regulatory action. The enforcement environment has tightened significantly over the last decade.
Global anti-money laundering and KYC fines exceeded $6.6 billion in 2023, up from $4.2 billion the year prior, according to compliance analytics firm Fenergo. The largest single penalty in recent years was the $4.3 billion settlement Binance reached with the US Department of Justice in November 2023 — a direct consequence of inadequate KYC controls on a high-volume payments platform.
For ecommerce merchants, the practical stakes are different but real. Payment processors are required to KYC their merchant customers before enabling processing. A merchant that cannot pass its processor's KYC review does not get a merchant account. Merchants selling in categories considered high-risk — subscriptions, digital goods, adult content, nutraceuticals, travel — face stricter KYC scrutiny and may need to demonstrate customer identity collection as part of their own chargeback dispute evidence. The Financial Action Task Force (FATF) estimates that 2–5% of global GDP is laundered each year, a volume that regulators are actively working to reduce through tighter KYC enforcement at every point in the payment chain.
KYC for payment processors vs. merchants
Payment processors and acquiring banks carry the primary KYC obligation under AML law. They verify merchants through know-your-business (KYB) checks before enabling processing. Merchants themselves face direct KYC obligations only in regulated product categories or when they operate as a financial intermediary. However, merchants benefit from understanding the process because KYC failures upstream — at your processor — can suspend your account without warning. Merchants operating in card-present or card-not-present environments must also maintain PCI compliance alongside KYC, as both form part of a layered security and compliance posture.
KYC vs. AML
KYC and AML are frequently used interchangeably but they describe different scopes of obligation. AML is the regulatory framework; KYC is the tooling.
| Dimension | KYC | AML |
|---|---|---|
| Scope | Identity verification process | Broad financial crime prevention framework |
| Who it applies to | Any business onboarding customers | All regulated financial institutions and their partners |
| Timing | Primarily at onboarding | Ongoing — covers the entire customer lifecycle |
| Primary obligation | Verify who the customer is | Detect, prevent, and report suspicious financial activity |
| Tools involved | ID verification, biometrics, watchlist screening | Transaction monitoring, SAR filing, risk scoring, KYC |
| Failure consequence | Cannot onboard customer without verification | Fines, account termination, criminal prosecution |
| Regulator focus | Identity completeness and accuracy | Pattern detection and reporting obligations |
KYC is one pillar of an AML program. Other pillars include transaction monitoring, sanctions screening, staff training, and independent audit. A business can have a technically compliant KYC process and still fail its AML obligations if transaction monitoring is inadequate or SARs are not filed promptly.
Types of KYC
Regulatory frameworks distinguish between three levels of due diligence, applied according to the assessed risk of the customer relationship. The EU's 4th and 5th Anti-Money Laundering Directives (AMLD4/AMLD5) codify this tiered approach, which most other jurisdictions have adopted in similar form.
Simplified Due Diligence (SDD) Applied to customers and products deemed inherently low-risk. Examples include government entities, regulated financial institutions, and low-value prepaid products with limited functionality. SDD requires confirming the customer's identity but allows reduced documentation and less frequent monitoring. Importantly, SDD is not zero diligence — firms still need a documented risk rationale for applying the simplified standard.
Standard Due Diligence (CDD) The baseline requirement for most customers. Standard customer due diligence requires: identity verification (name, date of birth, address), document verification, beneficial ownership determination for businesses, and ongoing transaction monitoring appropriate to the account's stated purpose. Standard CDD applies to the majority of retail payment accounts, most ecommerce merchant onboardings, and standard business accounts.
Enhanced Due Diligence (EDD) Mandatory for high-risk customers and relationships. Enhanced due diligence triggers include: customers from high-risk jurisdictions (FATF grey list or blacklist), politically exposed persons (PEPs) and their close associates, complex ownership structures, high transaction volumes inconsistent with stated business purpose, and customers in inherently high-risk sectors (money services, crypto, gambling). EDD requires source-of-funds documentation, senior management sign-off, more frequent re-review, and enhanced transaction monitoring thresholds.
Politically Exposed Persons (PEPs)
PEPs are individuals who hold or have held prominent public positions — heads of state, senior government officials, senior military officers, senior executives of state-owned enterprises — and their immediate family and close associates. PEPs are automatically classified as high-risk and require enhanced due diligence regardless of their transaction profile, because their position creates elevated exposure to bribery and corruption risk.
Best Practices
For Merchants
- Conduct a KYC obligation mapping exercise. Determine which specific regulations apply to your business based on jurisdiction, product category, and customer base. KYC obligations for a US-based SaaS company differ materially from those for a UK-based financial services platform.
- Do not treat KYC as a one-time onboarding checkbox. Build ongoing monitoring into your compliance program. Set transaction thresholds that trigger re-verification, and perform periodic re-KYC on high-risk accounts.
- Collect only what you need. Over-collecting customer data creates privacy liability without compliance benefit. Map each data point collected to a specific regulatory requirement and delete data that no longer serves a documented purpose.
- Document your risk assessment methodology. Regulators do not just check that you verified customers — they audit your rationale for the risk tier you assigned. A defensible, documented risk model is as important as the verification itself.
- Plan for verification failures. Define in advance what happens when a customer cannot be verified — whether that means denying onboarding, escalating to manual review, or applying enhanced controls while proceeding. Undocumented edge cases create compliance gaps.
For Developers
- Build for reversibility. KYC status changes — a customer cleared at onboarding may hit a sanctions list match six months later. Design your system so that KYC status can trigger downstream access controls without requiring a manual account review workflow.
- Integrate watchlist screening as a separate, asynchronous step. Sanctions lists (OFAC SDN, EU consolidated, UN) are updated daily. Your integration should re-screen existing customers against list updates, not just at onboarding.
- Treat identity verification providers as interchangeable. Vendor lock-in on a single KYC API is a business risk. Abstract your identity verification integration so you can route different verification types — document scanning, biometrics, database lookups — to different providers based on coverage, cost, or regulatory requirement.
- Store raw verification artifacts. Regulators may request proof of what documentation was collected and when. Store encrypted copies of submitted ID images, verification timestamps, and risk assessment decisions with immutable audit logs.
- Test edge cases with synthetic identity data. Real fraudsters submit edge cases — expired IDs, cropped photos, mismatched addresses. Build a test suite that covers document type variations, failed liveness detection, and partial matches to ensure your integration handles degraded results correctly.
Common Mistakes
Treating KYC as a one-time event at onboarding KYC is an ongoing obligation, not a checkbox. Customers who pass verification at account creation may become sanctioned, change ownership structure, or begin transacting in ways inconsistent with their stated purpose. Programs that only check identity at signup and never re-verify are vulnerable to exploitation by customers whose risk profile changed after onboarding.
Applying the same due diligence level to all customers Using enhanced due diligence for every customer wastes resources and creates unnecessary friction for low-risk accounts. Using simplified due diligence uniformly exposes the business to regulatory liability for high-risk relationships. Risk-based tiering is not optional — it is the design principle regulators expect.
Failing to screen against current sanctions lists Onboarding a customer and never checking them again against OFAC, EU, or UN sanctions lists is a critical gap. Regulators have imposed significant fines for processing payments to sanctioned parties that were not sanctioned at the time of onboarding but became designated afterward. Continuous or at-minimum daily re-screening is required. Sanctions screening is a distinct workstream from fraud detection — the two systems should be integrated so that a sanctions hit can block payment processing in real time, not only during a compliance review cycle.
Treating KYB the same as KYC Business customer verification (KYB) is materially different from individual KYC. Legal entity verification alone is insufficient — regulators require identification of beneficial owners, controllers, and in some cases, key officers. Applying individual KYC logic to corporate onboarding creates structural gaps that examiners consistently flag in compliance audits.
Not documenting the risk rationale Regulators audit the reasoning behind compliance decisions, not just the outcomes. If your team determines a customer is low-risk and applies simplified due diligence, that assessment must be documented with supporting rationale. "We verified their ID" is not a sufficient compliance record.
Ignoring beneficial ownership For business customers, verifying the legal entity without identifying the humans who ultimately own or control it is a common and costly gap. Money launderers frequently use corporate structures to obscure beneficial ownership. Most jurisdictions now require identification and verification of all individuals holding more than 25% beneficial interest.