KYC/AML compliance interview questions and answers

KYC — Know Your Customer — is the process of verifying a client's identity and understanding the nature of their business before onboarding them. AML — Anti-Money Laundering — is the broader set of policies, controls, and procedures designed to prevent financial institutions from being used to launder criminal proceeds. KYC is a key component of AML. KYC gives you the baseline information you need to monitor customer behaviour for AML red flags.

CDD is Customer Due Diligence — the standard level of verification for most clients, including identity verification, understanding the business relationship, and assessing risk. EDD is Enhanced Due Diligence — a deeper level of scrutiny applied to higher-risk clients. You apply EDD when a customer is a Politically Exposed Person (PEP), comes from a high-risk jurisdiction listed by FATF, operates in a high-risk industry, or when the transaction patterns trigger a risk flag.

An STR or SAR is a formal report filed with the relevant financial intelligence unit when a financial institution identifies a transaction or behaviour that may indicate money laundering, terrorist financing, or other financial crime. In the UK it goes to the National Crime Agency. In the UAE it goes to the UAE Financial Intelligence Unit (UAEFIU). Filing is mandatory once a suspicion threshold is met — tipping off the customer is a criminal offence.

Placement — introducing criminal proceeds into the financial system, often through cash deposits, smurfing, or trade-based laundering. Layering — disguising the trail through a series of complex transactions, transfers, and conversions. Integration — re-introducing the laundered funds into the legitimate economy as apparently clean money, often through property purchases, business investments, or luxury assets.

The Financial Action Task Force is an intergovernmental body that sets global AML/CFT standards. The FATF grey list identifies jurisdictions under increased monitoring — they have strategic deficiencies but are working to address them. The black list (High-Risk Jurisdictions subject to a Call for Action) identifies jurisdictions with serious deficiencies and triggers mandatory enhanced measures from financial institutions globally. Dealing with entities in these jurisdictions automatically requires EDD.

A Politically Exposed Person is someone who holds or has held a prominent public position — heads of state, senior politicians, judges, military officers, senior executives of state-owned enterprises — and their immediate family and close associates. PEPs present elevated money laundering risk due to the potential for bribery and corruption. You must apply EDD, obtain senior management approval for onboarding, and conduct more frequent and thorough ongoing monitoring throughout the relationship.

Common tools include Refinitiv World-Check, Dow Jones Risk and Compliance, LexisNexis Bridger, Accuity, and platform-specific tools like Fenergo for KYC workflow management. Sanctions databases include OFAC (US), UN Consolidated List, EU Consolidated List, HM Treasury (UK). Adverse media screening involves searching reputable news sources, court records, and regulatory enforcement databases.

A false positive is a screening alert that appears to match a sanctioned entity but is not actually that entity. The process is: document the alert and your analysis, gather sufficient information to determine it is not a true match — different date of birth, nationality, address, spelling variation — record your reasoning clearly, and clear the alert with appropriate justification. The key is that your decision and rationale must be documented so it can withstand regulatory scrutiny.

This is a classic transaction monitoring red flag. First, review the customer's risk rating and transaction history to understand what is normal for this client. Second, conduct an internal investigation — check if there is a business reason for the change in behaviour, review any recent KYC refresh data. Third, if you cannot explain the behaviour with legitimate business reasons, escalate to your MLRO. If the MLRO determines there are grounds for suspicion, file an STR. Throughout this process, you must not tip off the customer that they are under investigation.

A risk-based approach. High-risk clients — PEPs, high-risk jurisdictions, complex structures — reviewed annually or more frequently. Medium-risk clients every two to three years. Low-risk standard clients every three to five years. The programme needs a trigger-based component too: any material change in a customer's business, ownership, or transaction profile should prompt an out-of-cycle refresh regardless of their scheduled review date. Build in capacity planning — high-risk clients take significantly longer to refresh than standard ones.