Know Your Customer’s Customer (KYCC): A Complete Guide
- KYCC goes beyond standard KYC by verifying who your customers transact with — identifying hidden risks in payment chains, shell company structures, and third-party relationships that direct customer verification cannot detect.
- Regulatory pressure is intensifying globally: FATF's June 2025 revision of Recommendation 16 strengthened cross-border payment transparency requirements, while the EU Anti-Money Laundering Authority (AMLA) begins operations in 2025 with direct supervision of high-risk firms starting in 2028.
- Platforms like Signzy enable end-to-end KYCC workflows by combining real-time KYC, KYB, AML screening against 1,000+ global watchlists, UBO verification across 150+ countries, and continuous transaction monitoring — all within a single API-driven platform.
Know Your Customer's Customer (KYCC) is the compliance practice of verifying and monitoring the identities, activities, and risk profiles of your customers' end-customers — the people and businesses your clients transact with. While standard KYC focuses on verifying your direct customers, KYCC extends that scrutiny one layer deeper into the transaction chain to detect money laundering, terrorist financing, and fraud that would otherwise remain hidden behind intermediary relationships.
KYCC is embedded within broader AML frameworks — FATF Recommendation 13 on correspondent banking, the EU's AMLD6, and the FinCEN CDD Rule in the US. For any business that facilitates transactions on behalf of others — payment processors, BaaS platforms, correspondent banks, or crypto exchanges — KYCC is increasingly critical to both regulatory compliance and operational risk management.
Related Resources
What Is KYCC (Know Your Customer's Customer)?
KYCC — Know Your Customer's Customer — is the process of identifying, verifying, and assessing the risk profiles of the end-users, beneficiaries, and counterparties that your direct customers interact with. It extends standard KYC specifically for businesses acting as intermediaries in financial transactions.
The concept originates from FATF Recommendation 13, which requires correspondent banking institutions to understand the respondent's business and assess the adequacy of its AML/CFT controls. In practice, KYCC applies far beyond correspondent banking — any business that facilitates payments or provides infrastructure for other businesses to serve their own customers faces KYCC obligations.
Practical example: A payment facilitator (PayFac) onboards an electronics merchant. Standard KYC verifies the merchant's identity and ownership. But KYCC asks: Who are the merchant's customers? Are they structuring payments to launder funds? Is the merchant processing for unlicensed sub-merchants?
Without KYCC, businesses become unwitting conduits for money laundering — bad actors exploit the gap by hiding behind a seemingly legitimate customer.
As one compliance practitioner observed on a popular AML industry forum: "KYCC is where most fintechs get caught out. They nail KYC on the merchant but have zero visibility into the merchant's customer base."
Where Does KYCC Fit in the Compliance Framework?
KYCC does not exist in isolation. It is one layer in a structured compliance framework where each process addresses a different dimension of risk. Understanding how these layers relate prevents duplication and ensures proportional due diligence.
| Process | What It Verifies | Regulatory Anchor | When It Applies |
|---|---|---|---|
| KYC (Know Your Customer) | Identity of your direct customer (individual) | FATF Rec. 10; EU 4AMLD Art. 11–13 | Every customer at onboarding |
| CDD (Customer Due Diligence) | Risk profile, source of funds, transaction purpose | FATF Rec. 10; FinCEN CDD Rule (2018) | Standard for all business relationships |
| EDD (Enhanced Due Diligence) | Deeper scrutiny: source of wealth, PEP connections, adverse media | FATF Rec. 12, 19; EU 4AMLD Art. 18 | High-risk customers, PEPs, sanctioned jurisdictions |
| KYB (Know Your Business) | Business registration, UBO identification, corporate structure | FATF Rec. 10, 24; EU AMLR Art. 52–53 | Corporate/entity onboarding |
| KYCC (Know Your Customer's Customer) | End-users, beneficiaries, and counterparties of your customer | FATF Rec. 13 (correspondent banking), Rec. 16 (wire transfers) | Intermediaries, PayFacs, BaaS, correspondent banks |
The relationship is hierarchical: KYC is the umbrella process, CDD and EDD are its risk-tiered components, KYB applies KYC principles to business entities, and KYCC extends the entire framework one layer downstream to your customer's customers. Each layer can trigger the others — a high-risk KYB finding on a merchant may escalate to EDD, which may then require KYCC on the merchant's end-users.
For a deeper look at how business verification (KYB) works in practice, see our guide on checking company legitimacy.
What Is the Difference Between KYC and KYCC?
The core distinction: KYC verifies who you are doing business with; KYCC verifies who *they* are doing business with.
| Feature | KYC (Know Your Customer) | KYCC (Know Your Customer's Customer) |
|---|---|---|
| Definition | Verifying the identity of your direct customer | Verifying the customers and counterparties of your customer |
| Focus | Individual or business onboarding | Transaction chains and downstream relationships |
| Purpose | Prevent direct fraud, identity theft, money laundering | Detect hidden risks from indirect transactions and shell structures |
| Who Uses It? | Banks, fintechs, crypto exchanges, all financial institutions | Payment processors, BaaS platforms, correspondent banks, marketplaces |
| Regulatory Basis | FATF Rec. 10; EU AMLD Art. 11–13; BSA/CDD Rule | FATF Rec. 13, 16; EU AMLD6; FinCEN Section 312 |
| Risk Layer | Direct customer risk | Supply chain and intermediary risk |
| Example | Bank verifies John Doe's identity to open an account | Payment processor checks whether John Doe's merchant customers are legitimate or processing for unlicensed sub-merchants |
Why it matters: The Panama Papers and subsequent leaks revealed that standard KYC routinely failed to detect illicit flows routed through shell companies and intermediary structures. The funds appeared clean at the direct customer level — the laundering happened one or two layers deeper in the transaction chain, exactly where KYCC provides visibility.
Which Industries Need KYCC?
KYCC obligations are not limited to traditional banks. Any business that sits between a regulated financial system and end-users faces downstream verification requirements — either by regulation or by the practical reality of managing intermediary risk.
| Industry | KYCC Obligation | Regulatory Driver | Real-World Risk |
|---|---|---|---|
| Payment Facilitators (PayFacs) | Verify sub-merchant legitimacy, monitor end-user transactions, screen beneficial owners | Card network rules (Visa/Mastercard), FinCEN CDD Rule | Sub-merchants processing for unlicensed businesses; transaction laundering |
| Banking-as-a-Service (BaaS) | Sponsor banks must oversee fintech partners' end-user KYC/AML programs | OCC, FDIC guidance (2024–2025); FinCEN shared liability rules | Fintech partner onboards high-risk users without adequate controls; sponsor bank bears regulatory liability |
| Correspondent Banking | Assess respondent bank's AML controls and understand end-user risk | FATF Rec. 13; FinCEN Section 312 (USA PATRIOT Act) | Nested accounts enabling sanctioned entities to access the financial system |
| Cryptocurrency Exchanges / VASPs | Verify users of custodial wallets, screen counterparties, apply Travel Rule | EU MiCA Regulation; FATF Rec. 15 | Mixing services and cross-chain hopping obscuring transaction origins |
| Trade Finance | Verify trade parties, assess invoice legitimacy, screen for TBML | FATF TBML guidance; 2024 US Illicit Finance Strategy | Over/under-invoicing to move value across borders |
| Gaming & Gambling | Verify player funding sources, block third-party payments, monitor high-value transactions | EU Instant Payments Reg (Oct 2025); national gambling commissions | VIP players using third-party mule accounts; structuring deposits below reporting thresholds |
The BaaS accountability gap is particularly acute. In 2024–2025, the OCC issued formal enforcement actions against multiple sponsor banks for inadequate BSA/AML oversight of their fintech partners — including failures in monitoring fintech end-users. The regulatory message is clear: the sponsor bank cannot delegate KYCC responsibility to the fintech partner, even if the partner handles day-to-day onboarding.
What Are the Regulatory Frameworks Driving KYCC?
KYCC obligations derive from multiple overlapping regulatory frameworks. No single regulation is titled "KYCC" — instead, the requirement is embedded across AML/CFT laws that mandate due diligence on downstream relationships.
FATF Recommendations (Global Standard)
- Recommendation 13 (Correspondent Banking): Requires institutions to understand the nature of the respondent's business, assess the adequacy of its AML/CFT controls, and obtain approval from senior management before establishing new correspondent relationships.
- Recommendation 16 (Wire Transfers): Revised in June 2025 to strengthen transparency for cross-border payments, domestic transfers, and VASP transactions — requiring originator and beneficiary information to travel with the payment (the "Travel Rule").
European Union
- AMLD6 (Directive 2024/1640): Expands money laundering definitions, mandates interconnected UBO registers across the EU, and enhances CDD for high-risk scenarios including intermediary structures.
- AMLR (Regulation 2024/1624): Creates a directly applicable EU-wide AML rulebook with harmonized CDD/EDD requirements — no national transposition needed.
- AMLA: The new EU Anti-Money Laundering Authority began operations in 2025 and will directly supervise high-risk financial institutions starting in 2028. It is issuing ~23 regulatory technical standards by mid-2026.
United States
- FinCEN CDD Rule (2018): Requires financial institutions to identify and verify beneficial owners of legal entity customers and conduct ongoing monitoring.
- Section 312, USA PATRIOT Act: Mandates Enhanced Due Diligence (EDD) for foreign correspondent accounts — including assessing money laundering risks, obtaining respondent AML program details, and monitoring for nested accounts.
United Kingdom
- Economic Crime and Corporate Transparency Act (ECCTA) (effective September 2025): Widens corporate liability for failure to prevent fraud and strengthens AML governance expectations — including a new single AML supervisor for professional services.
Enforcement Signals the Regulatory Direction
The scale of recent enforcement actions underscores why KYCC cannot be treated as optional:
| Institution | Year | Penalty | Regulator | KYCC Failure |
|---|---|---|---|---|
| TD Bank | 2024 | ~$3 billion | DOJ, FinCEN, OCC, FRB | Years-long BSA/AML failures including inadequate oversight of intermediary relationships and downstream transaction flows |
| Barclays | 2025 | £39.3 million | [UK FCA](https://www.fca.org.uk/news/press-releases/fca-fines-barclays-42-million-poor-handling-financial-crime-risks) | Failed to identify, assess, or mitigate money laundering risks in a corporate banking relationship — including inadequate due diligence on downstream/end-users |
| Nordea Bank | 2024 | $35 million | NYDFS | Failed to conduct proper due diligence on high-risk correspondent banking relationships; Panama Papers revealed offshore shell company facilitation |
These are not isolated incidents. Global AML fines surged 417% year-over-year in H1 2025, reaching $1.23 billion — with KYCC-adjacent failures (correspondent banking, nested accounts, intermediary oversight) representing a significant share.
How to Conduct KYCC
There is no single prescribed process for KYCC — it must be adapted to your business model, customer risk profile, and regulatory jurisdiction. However, the following four-step framework provides a practical starting point.
Step 1: Identify Which Customers Need KYCC
Not every customer requires KYCC. Apply a risk-based approach (as mandated by FATF Recommendation 1) to focus resources on customers whose business models create downstream risk.
High-risk indicators that trigger KYCC:
| Indicator | Why It Triggers KYCC |
|---|---|
| Financial intermediary (payment processor, remittance provider, digital wallet) | Their customers are transacting through your platform indirectly |
| Large, frequent, or irregular transaction patterns | High volumes may indicate structuring or layering |
| High-risk industry (crypto, gambling, forex, trade finance) | Elevated money laundering and terrorist financing exposure |
| Complex ownership structures (multi-layered holding companies, trusts) | Potential for concealing beneficial ownership |
| Operations in high-risk jurisdictions (FATF grey/black list countries) | Jurisdictional risk amplifies downstream risk |
Risk scoring approach: Assign weighted scores across these indicators. A binary "high/low" classification misses nuance — use a tiered model (e.g., 1–10 scale) that maps to proportional KYCC intensity. Customers scoring above your threshold get full KYCC; those below get periodic reviews.
Step 2: Analyze the Payment Flow Within Your Platform
Once high-risk customers are identified, map their transaction flows to understand where money originates and where it goes.
Key checks:
- Who receives payments? Legitimate businesses vs. unknown individuals vs. entities in high-risk jurisdictions.
- Where is money going? Domestic, offshore, or routing through multiple jurisdictions (a classic layering indicator).
- Structuring patterns? Frequent transactions just below reporting thresholds (e.g., multiple $9,500 transfers to avoid the US $10,000 CTR threshold).
- Velocity anomalies: Sudden spikes in transaction volume or value vs. the customer's historical baseline.
Graph analytics tools are effective here — they map transaction networks visually, revealing hidden connections that flat database queries miss.
Step 3: Verify Third-Party Connections (UBOs & Key Counterparties)
You do not need to verify every single end-user in your customer's ecosystem. Focus on the entities that pose the greatest risk:
- Ultimate Beneficial Owners (UBOs): Identify the natural persons who ultimately own or control the customer's business. Cross-reference against sanctions lists, PEP databases, and adverse media. EU AMLD6 mandates interconnected UBO registers across the EU — use them.
- Major transaction counterparties: Entities that appear frequently in your customer's transaction flow. Are they registered businesses? Do they appear on any watchlists?
- Legal entity verification: Confirm that business counterparties are registered, active, and operating in the jurisdiction they claim. Shell companies and dormant entities are red flags.
For a detailed walkthrough of business legitimacy verification, see our KYB guide.
Step 4: Continuous Monitoring, Not Just One-Time Checks
KYCC is not a one-time onboarding exercise. Customer risk profiles evolve — business models shift, new transaction partners emerge, and sanctions lists update daily.
Ongoing monitoring triggers:
- Changes in the customer's business model or ownership structure
- New high-volume transaction counterparties appearing in the flow
- Sanctions or PEP list updates that affect existing counterparties
- Adverse media flagging the customer or their key counterparties
- Regulatory changes in jurisdictions where the customer operates
2026 regulatory expectation: FATF's October 2025 recommendations update emphasized "effectiveness" over formal compliance — regulators will scrutinize whether KYCC programs actually mitigate risk through continuous monitoring, not just whether the program exists on paper. The shift is from periodic reviews (e.g., annual re-checks) to event-triggered, perpetual KYCC.
What Technology Powers Effective KYCC Programs?
Manual KYCC is impractical at scale. Modern programs rely on three technology pillars:
| Technology | KYCC Application | Why It Matters |
|---|---|---|
| Graph Analytics & Network Analysis | Maps relationships between entities, accounts, and transactions to reveal hidden connections | Detects layered ownership structures and transaction networks that flat-data approaches miss entirely |
| AI/ML Dynamic Risk Scoring | Continuously updates customer risk ratings based on evolving behavioral patterns and external signals | Reduces false positives while catching sophisticated actors who deliberately present low-risk profiles |
| Automated Screening (Sanctions, PEP, Adverse Media) | Screens counterparties against 1,000+ global watchlists with fuzzy matching for name variations | Catches aliases, transliterations, and misspellings that exact-match systems miss |
Graph analytics is foundational for KYCC. Traditional queries check records in isolation — they cannot see that Entity A connects to Entity B through Entity C via a shared UBO in a third jurisdiction. Graph databases model these multi-hop relationships natively, making them essential for detecting layered structures.
AI-driven dynamic scoring moves KYCC from static (check once, review annually) to continuous (real-time updates as transactions, watchlist changes, or adverse media emerge). According to Moody's analysis of correspondent banking KYCC, the industry is shifting to perpetual monitoring driven by event triggers rather than calendar-based reviews.
How Signzy Helps Organizations Implement KYCC
KYCC programs require identity verification, business verification, AML screening, and transaction monitoring — typically stitched together from multiple vendors. Signzy consolidates these into a single, API-driven compliance infrastructure.
- KYC/KYB foundation: One Touch KYC verifies identities across 120+ countries in under 5 seconds. The KYB suite traces UBO structures through corporate registries in 180+ countries, including multi-layered ownership chains.
- Downstream screening: AML screening covers 1,000+ global watchlists (OFAC, UN, EU, FinCEN, SEBI, RBI) with fuzzy logic matching for name variations and transliterations. Watchlists update daily.
- Ongoing monitoring: AI-powered transaction monitoring detects structuring, layering, and rapid fund movements across payment types — generating regulatory-ready SAR/STR reports with audit trails.
- No-code configuration: Compliance teams can configure KYCC verification flows, adjust risk thresholds, and deploy jurisdiction-specific rules without developer involvement.
For organizations building their first KYCC program, start with robust KYC and business verification to filter high-risk customers at onboarding, then layer KYCC for customers whose business models create downstream exposure.
FAQ
What is the difference between KYCC and Enhanced Due Diligence (EDD)?
Is KYCC legally required?
How does KYCC apply to cryptocurrency platforms?
What data sources are needed for effective KYCC?
How often should KYCC reviews be conducted?
What is the biggest operational challenge in implementing KYCC?
Spread the knowledge!
Found this useful ? Share what you learned!
Shivam Agarwal
Shivam heads the go-to-market strategy at Signzy. He holds the CFA charter and a strong background in financial operations, PE analysis and strategy. His prior roles include business strategy and private-equity analysis in the financial services and fintech domain, giving him deep insight into client needs, risk-adjusted economics and monetisation models for compliance & identity verification platforms.
