Customer Identification Program (CIP)

Primary question answered: Who is this customer, and can we prove it?

CIP is the first stage. Before doing anything else, the bank must collect enough identity information to know who they’re dealing with, then verify that information against independent, reliable sources. This is a regulatory minimum — in the US it’s required under the Bank Secrecy Act and FinCEN’s 2016 CDD Rule; in the UK under MLR 2017; in the UAE under the DFSA AML Module.

Documents typically collected:

• Individual customers: Full legal name, date of birth, residential address, government-issued photo ID (passport, national ID, Emirates ID, Aadhaar, SSN card).
• Corporate customers: Certificate of incorporation, articles of association, board resolution authorising the account, list of directors, authorised signatories, proof of registered address.
• Trusts: Trust deed, settlor identity, trustee identity, named beneficiaries, protector (if any).
• All customers: Tax identification numbers (TIN/PAN/EIN) for cross-border relationships.

How verification actually happens:

• Document authenticity checks (hologram, MRZ strip, security features, tampering detection)
• Biometric liveness detection — proving you’re a real person, not a photo
• Cross-check against government identity registers where available
• Electronic ID verification (eKYC) for digital-first banks
• Video KYC (V-CIP) widely used in India for RBI-regulated onboarding

Customer Due Diligence (CDD)

Primary question answered: What kind of customer are they, and what should their activity look like?

CIP tells you the customer is real. CDD tells you what they do, where their money comes from, what they plan to do with the account, and how risky the relationship is. This is where a risk rating (Low / Medium / High) is assigned and the basis for ongoing monitoring is set.

What CDD actually involves:

• Nature of Business (NOB): A specific description of what a corporate customer does — not just an industry code. Vague NOB (“general trading”) is a red flag; precise NOB (“frozen seafood export to EU retailers”) lets you benchmark expected activity.
• Source of Funds (SoF): Where the specific funds being deposited come from — salary, business revenue, property sale, loan, inheritance.
• Expected transaction profile: Monthly volume, typical counterparties, geographic corridors, product usage.
• Customer Risk Rating (CRR): Scored across customer type, geography, product, delivery channel, transaction profile, and industry.
• Sanctions screening: Against OFAC, UN, EU, UK OFSI, HM Treasury, and local sanctions lists.
• PEP screening: Political exposure and RCA (Relative / Close Associate) linkage.
• Adverse media screening: Negative news across regulatory, court, and credible media sources.

Enhanced Due Diligence (EDD)

Primary question answered: This customer is higher risk — can we still do business responsibly, and what additional controls do we need?

Not every customer requires EDD. It is triggered when risk factors from Stage 2 exceed standard thresholds. FATF explicitly requires EDD for PEPs, high-risk jurisdictions, and complex ownership structures. Most banks also apply EDD to cash-intensive businesses, crypto/VASP customers, correspondent banking relationships, and any customer with adverse media findings.

Common EDD triggers:

• Customer is a Foreign PEP, Domestic PEP, or International Organisation PEP
• RCA linkage — spouse, child, parent, sibling, or close business partner of a PEP
• Customer is from or operates in a FATF grey-list / high-risk jurisdiction
• Complex corporate structures — multiple layers, offshore vehicles, trusts, foundations
• Cash-intensive business (casino, MSB, art dealer, precious metals)
• Adverse media hit requiring investigation
• Unusually high expected transaction volumes inconsistent with profile

What EDD adds beyond standard CDD:

• Source of Wealth (SoW): The origin of the customer’s total net worth accumulated over their lifetime — not just the specific funds being deposited.
• Senior management approval before the relationship is opened or continued.
• Shorter review cycles — typically annual or semi-annual, not every 3–5 years.
• Lower transaction alert thresholds in ongoing monitoring.
• Independent corroboration of declared information — not just customer attestation.
• In-person meetings where geographically feasible for private banking relationships.

Ongoing Monitoring

Primary question answered: Does this customer’s actual activity match their declared profile — and if not, why?

KYC is not a one-time event. Once the customer is onboarded, the bank continuously monitors activity against the expected profile set at CDD. Unusual activity triggers alerts, which are investigated by the AML team, which may lead to a Suspicious Activity Report (SAR) in the US or a Suspicious Transaction Report (STR) in most other jurisdictions.

Ongoing Monitoring has two halves:

• Transaction monitoring: Real-time and batch-based analysis of transactions against expected profile, typology rules, and behavioural patterns. Platforms used: Actimize, SAS AML, Oracle FCCM, in-house systems.
• Periodic review: Scheduled re-verification of the customer profile itself — typically every 3–5 years for low-risk, 2–3 years for medium-risk, annually for high-risk, and annually or more frequently for PEPs.

Trigger events (outside scheduled review):

• Customer becomes a PEP (e.g., relative appointed to senior government role)
• Change in UBO, directors, or corporate structure
• Adverse media hit post-onboarding
• Significant transaction anomaly — structuring, round-dollar patterns, high-risk geography spikes
• Change in Nature of Business or documented purpose
• Expired documents (passport, licence, tax residency cert)
• Regulatory inquiry or subpoena involving the customer