Know Your Customer (KYC)

What is KYC?

Know Your Customer (KYC) is the set of processes that financial institutions and other regulated entities use to establish and maintain a customer's identity, beneficial ownership, and risk profile across the customer lifecycle. At onboarding, KYC collects and verifies identity evidence — government-issued ID, biometrics with liveness, authoritative database checks — evaluates sanctions, politically exposed person (PEP), and adverse media exposure, identifies any beneficial owners of legal-entity customers, and assigns a risk rating that determines monitoring intensity, transaction limits, and product eligibility.

KYC is not a one-time event. Ongoing KYC includes periodic refresh cycles, event-driven updates (sanctions changes, behaviour shifts, document expiry), and continuous screening so that the customer file remains accurate and the institution's view of the customer remains current. A robust KYC programme is risk-based: higher-risk customers (PEPs, complex cross-border activity, high-risk jurisdictions) receive Enhanced Due Diligence, while lower-risk customers move through streamlined flows that minimise friction without compromising compliance.

Why KYC matters

KYC is the foundation on which every other AML control rests. Sanctions screening that doesn't know who the customer is produces meaningless results. Transaction monitoring scenarios that aren't calibrated against an accurate customer profile generate noise rather than signal. Suspicious Activity Reports filed without a verified identity behind them are difficult for FIUs to action. Regulators routinely cite weak KYC as a root cause in enforcement actions across every major jurisdiction — and the fines have escalated from millions to billions of dollars over the past decade. Beyond the regulatory exposure, weak KYC is a fraud vulnerability: synthetic identities, account takeover, mule recruitment, and impersonation all exploit gaps in identity verification. Done well, KYC simultaneously satisfies the regulator and protects the institution from financial crime losses.

What does KYC stand for and what does it mean?

KYC stands for Know Your Customer. The term originated in US banking regulation in the 1970s following the Bank Secrecy Act and was adopted globally through FATF's standards. Today the same three letters are used universally — in banking, fintech, crypto, insurance, securities, telecom, and gaming — to describe the discipline of verifying who a customer is before doing business with them and continuing to monitor that customer over time. While the underlying obligation has been called KYC, CIP (Customer Identification Program), CDD (Customer Due Diligence), or various national equivalents, the practical content is broadly the same: identify the customer, verify the identity with reliable evidence, understand the relationship's purpose, and monitor on an ongoing basis.

The KYC process: step by step

A complete KYC process moves through five stages — see our end-to-end KYC process guide for the practitioner walkthrough.

1. Customer Identification (CIP) — collect identifying information from the customer (name, date of birth, address, government identifier) and verify it against reliable, independent source documents or data.
2. Document and biometric verification — authenticate the government-issued ID submitted, perform OCR data extraction, run document forensics to detect tampering, and perform a face-match between the customer's selfie and the document photo with liveness detection.
3. Sanctions, PEP, and adverse-media screening — check the verified identity against UN, OFAC, EU, UK, and local sanctions lists, PEP databases, and adverse-media sources.
4. Risk profiling and Customer Due Diligence (CDD) — understand the nature and purpose of the customer relationship, identify beneficial owners for legal-entity customers (typically 25%+ ownership or control), and assign a customer risk rating.
5. Decisioning and recordkeeping — approve, reject, or escalate to Enhanced Due Diligence based on the risk profile, and store the full evidence package — documents, biometric scores, screening results, decision rationale, approver — for the AML retention period.

Ongoing monitoring continues from onboarding through the entire customer lifecycle, with refresh cycles calibrated to the customer's risk band.

KYC documents

The accepted document set varies by country, customer type, and use case, but the most commonly required documents include passport, national identity card, driver's licence, or residence permit for individual customers; certificate of incorporation, trade licence, memorandum and articles of association, board resolution, and beneficial-ownership declaration for legal-entity customers; and recent utility bill, bank statement, or government letter where address verification is required separately. For higher-risk customers, additional documents such as source-of-funds and source-of-wealth evidence may be required. Modern one-touch KYC platforms maintain document templates for 150+ countries and 10,000+ document variants to authenticate IDs at global scale — see our complete list of acceptable KYC documents for the typical coverage matrix.

Types of KYC

KYC implementation falls into three broad models. Traditional in-person KYC requires the customer to visit a branch or office with original documents — slow, costly, and increasingly rare for retail products in mature markets. Electronic KYC (eKYC) is the fully automated digital model: the customer self-completes document capture and selfie checks on a phone or laptop, and the system returns an approve/refer/reject decision in seconds. eKYC is the dominant model for low- and medium-risk segments in most major markets. Video KYC — also called V-CIP in some jurisdictions — adds a live, trained agent who interviews the customer over a recorded video call to verify identity. Video KYC sits between eKYC and in-person verification, delivering higher assurance for higher-risk customers or product categories where regulators require human-led verification. Most modern programmes deploy multiple models — eKYC as default, Video KYC as fallback or for higher-risk segments, in-person only where required by law.

KYC vs AML

KYC and AML are closely related but not interchangeable — see our explainer on the difference between AML and KYC. AML (Anti-Money Laundering) is the broader regime — the legal framework, supervisory architecture, and operational programme that financial institutions must operate to detect and deter money laundering and terrorist financing. KYC is one of the foundational components of an AML programme: knowing who the customer is so that suspicious activity can be detected against an accurate customer profile. AML also includes transaction monitoring, sanctions screening, suspicious activity reporting, recordkeeping, training, governance, and independent testing. A bank can have a strong KYC programme and still fail AML expectations if the other components are weak — but it cannot have a strong AML programme without strong KYC underneath it. Counterparty and customer AML screening connects the two: KYC supplies the identity, AML screening assesses whether that identity carries restricted-list exposure.

KYC vs KYB

KYC focuses on individual customers — natural persons. KYB (Know Your Business) focuses on legal-entity customers — companies, partnerships, trusts, and other organisations (see our explainer on KYB vs KYC). KYB extends KYC with additional requirements specific to entities, summarised in the table below. For a bank or fintech serving both consumer and business customers, KYC and KYB sit alongside each other in the onboarding stack.

Aspect	KYC	KYB
Subject	Individual customers (natural persons)	Legal entities (companies, partnerships, trusts)
Identity proofs	Government IDs, biometrics, address proof	Certificate of incorporation, trade licence, board resolutions
Beneficial ownership	N/A — the individual is the customer	Identify ultimate beneficial owners (25%+ ownership or control)
Verification sources	Document and biometric checks plus address registries	Corporate registries, regulator databases, UBO registries
Risk inputs	Geography, occupation, income, behaviour	Industry, corporate structure, jurisdiction, ownership chain, sanctions on entity / UBOs / directors

KYC and Re-KYC: keeping files current

KYC is not complete at onboarding. Most regulators require a periodic refresh — known as Re-KYC, Periodic KYC, or KYC Refresh — at risk-based intervals. Typical cycles run every 8–10 years for low-risk customers, 5–7 years for medium-risk, and 1–2 years (often annually) for high-risk customers and PEPs. Refresh is also event-triggered: a sanctions list update producing a new match, a material change in customer behaviour, a new beneficial owner, or expiry of a previously verified identity document. Modern programmes increasingly run perpetual KYC (pKYC) — continuous refresh through real-time data feeds, behavioural signals, and automated alerts — for low- and medium-risk segments, while retaining scheduled refreshes for high-risk relationships.