Know Your Customer (KYC) is the first line of defense against financial crime — and the most common source of regulatory findings. A weak KYC process lets bad actors into your system. An over-engineered one drives away legitimate customers and creates operational drag.
This guide covers practical KYC best practices for 2026, drawing on regulatory expectations from FinCEN (CIP Rule and Customer Due Diligence Rule), the FCA's Financial Crime Guide, and the EBA's Guidelines on Customer Due Diligence. It is designed for compliance teams at banks, fintechs, MSBs, and any entity subject to AML/KYC regulations.
The goal of KYC is not to collect the most documents — it is to establish a reasonable belief about who the customer is, what they do, and whether they pose a money laundering or terrorist financing risk. Every KYC procedure should serve that purpose.
1. Customer Identification & Verification
The Customer Identification Program (CIP) is the foundation. You must collect and verify core identity attributes before or during account opening.
STEP 1 Identity Collection
- Individuals — Minimum four fields: Full legal name, date of birth, residential address, and government-issued identification number (SSN, passport number, or national ID)
- Entities — Minimum fields: Legal entity name, formation jurisdiction, registration number, principal place of business, and tax identification number
- Beneficial owners: Identify all individuals owning 25%+ equity interest and at least one individual with significant management control. Collect the same four fields as for individual customers
- Authorized representatives: Verify identity of persons authorized to act on behalf of entity customers. Obtain corporate resolution or power of attorney
STEP 2 Identity Verification
- Documentary verification: Government-issued photo ID (passport, driver's license, national ID card). For entities: certificate of incorporation, articles of association, partnership agreement
- Non-documentary verification: Cross-reference against independent databases — credit bureaus, government registries, utility records. Acceptable as primary method or supplement to documents
- Digital identity verification: Biometric matching, liveness detection, and document authenticity checks. Increasingly accepted by regulators when properly validated and audited
- Discrepancy resolution: When verification fails or information conflicts, document the discrepancy and the resolution steps taken. Do not default to rejection — investigate first
Common mistake: Treating document collection as verification. A scanned passport proves someone has a passport — not that they are who they claim to be. Verification requires cross-referencing against independent sources. Regulators now specifically look for this distinction in examination findings.
2. Risk-Based KYC Approach
Not all customers need the same level of scrutiny. A risk-based approach focuses resources where the risk is highest — and regulators explicitly require it.
STEP 3 Risk Assessment & Scoring
- Risk factors: Customer type (individual vs. entity), geography (country of residence/incorporation), product type, transaction patterns, source of funds/wealth, and industry/occupation
- Risk scoring model: Assign numeric or categorical scores across each risk factor. Weight factors based on your institution's risk assessment. Document the methodology and review annually
- Risk tiers: Minimum three tiers — Low, Medium, High. Each tier maps to specific KYC procedures, review frequency, and approval requirements
- Dynamic re-scoring: Risk scores should update based on transaction behavior, adverse media triggers, and material changes. Static risk scores assigned only at onboarding miss evolving risk
| Risk Tier | KYC Depth | Review Frequency | Approval Level |
|---|---|---|---|
| LOW | Simplified due diligence (SDD): CIP + basic verification | Every 3 years | Analyst |
| MEDIUM | Standard CDD: Full verification + source of funds | Every 2 years | Senior analyst |
| HIGH | Enhanced due diligence (EDD): Deep verification + source of wealth + ongoing monitoring | Annually | Compliance officer / MLRO |
3. Screening & Watchlist Checks
STEP 4 Screening at Onboarding
- Sanctions screening: Screen all customers, beneficial owners, and authorized signers against OFAC SDN, UN, EU, UK HMT, and country-specific sanctions lists at onboarding
- PEP identification: Check against global PEP databases. PEP status alone does not mean rejection — it triggers EDD, including source of wealth verification and senior management approval
- Adverse media: Search for negative news coverage related to financial crime, fraud, corruption, or sanctions evasion. Use structured adverse media databases, not just Google searches
- Ongoing screening: Re-screen existing customers when sanctions lists are updated (typically daily for OFAC). Batch screening on a scheduled basis is acceptable for lower-risk portfolios
4. Document Collection & Management
STEP 5 Document Standards
- Acceptable documents: Maintain a documented list of accepted identification documents by country. Include validity requirements (expiration dates, notarization, apostille for foreign documents)
- Digital documents: Define standards for digital document acceptance — resolution, file format, metadata preservation. Establish rules for when original documents are required vs. digital copies
- Certified translations: Non-English documents may need certified translation for review. Define when translation is required vs. when original language review is sufficient
- Retention: All KYC documents retained for minimum 5 years from end of business relationship. Longer periods may apply in some jurisdictions (UK: 5 years; EU: varies by member state)
5. Ongoing Monitoring & Refresh
STEP 6 Continuous KYC
- Transaction monitoring: KYC is not complete at onboarding. Monitor transactions against the customer's stated purpose and expected activity. Deviations trigger review
- Periodic KYC refresh: Refresh customer information on a schedule tied to risk tier (see table above). Confirm identity details, beneficial ownership, and risk rating remain accurate
- Event-driven review: Trigger KYC review when material events occur — adverse media hit, unusual transaction pattern, change in business structure, or customer request for high-risk product
- Customer communication: Have a defined process for requesting updated information from customers. Track response rates and escalate non-responses per your policy
- Exit procedures: Define criteria for relationship termination when KYC cannot be maintained — non-responsive customers, unresolvable discrepancies, confirmed adverse information. File SAR if warranted
Perpetual KYC (pKYC): Leading institutions are moving from periodic refresh cycles to continuous, event-driven KYC updates. This requires automated monitoring of external data sources (registries, media, sanctions lists) and integration with your customer data. The EBA's 2025 guidelines explicitly endorse this approach for high-risk customers.
6. Common KYC Failures
Regulators cite these issues most frequently in examination findings:
| Finding | Root Cause | Fix |
|---|---|---|
| Incomplete beneficial ownership | Self-declaration without verification | Cross-reference with corporate registries and formation docs |
| Stale customer information | No periodic refresh program | Implement risk-tiered refresh schedule |
| Inconsistent risk ratings | Subjective assessment without model | Implement scored risk model with documented methodology |
| PEP not identified at onboarding | Screening only against domestic lists | Use global PEP databases with family/associate coverage |
| No adverse media check | Process not included in CDD workflow | Integrate structured adverse media screening at onboarding and refresh |
Automating Your KYC Program
Manual KYC creates bottlenecks, inconsistency, and regulatory exposure. An analyst manually verifying identity, checking sanctions lists, running adverse media searches, and documenting everything takes 30-60 minutes per customer — and the quality varies by analyst experience and workload.
Veridact automates the full KYC workflow: identity verification against government databases, beneficial ownership mapping, screening across 29 global sanctions and PEP databases, adverse media monitoring, risk scoring, and structured audit trails. Consistent quality, complete documentation, and 60-second turnaround.
Run Your First KYC Check Free
No credit card required. Verify any individual or entity against sanctions, PEPs, adverse media, and beneficial ownership databases — with a complete audit trail — in under 60 seconds.