KYC (Know Your Customer) is the process of verifying a customer’s identity, assessing their risk profile, and monitoring their activity over time. Banks perform KYC to comply with AML/CFT regulations, prevent financial crime, and avoid regulatory fines — HSBC paid $1.9B in 2012 for KYC failures; Danske Bank laundered $200B via weak controls.

KYC is the foundation — identify, verify, monitor customers. AML is the broader program that includes KYC plus transaction monitoring, SAR/STR filing, sanctions screening, training, and governance. You cannot have effective AML without effective KYC.

(1) Customer Identification Program (CIP) — collect and verify ID documents. (2) Customer Due Diligence (CDD) — understand customer profile and expected activity. (3) Enhanced Due Diligence (EDD) — deeper review for high-risk customers. (4) Ongoing Monitoring — continuous review of transactions against profile.

CIP answers ‘who is the customer?’ — name, DOB, address, ID number. CDD answers ‘what kind of customer are they?’ — occupation, source of funds, expected activity, risk rating. CIP is a subset of CDD.

SDD (Simplified Due Diligence) — for low-risk customers (listed public companies, regulated financial institutions). CDD (Standard) — the default for most customers. EDD (Enhanced) — for PEPs, high-risk jurisdictions, unusual transactions, and complex structures.

RBA means allocating compliance resources proportionally to risk. Low-risk customers get lighter scrutiny; high-risk customers get deeper due diligence. It is mandated by FATF Recommendation 1 and is the foundation of every modern AML program.

FATF (Financial Action Task Force) issues 40 recommendations that set global AML/CFT standards. They cover customer due diligence, beneficial ownership transparency, sanctions, STR filing, international cooperation, and supervision. Countries are assessed via Mutual Evaluations; failure leads to grey-list or blacklist status.

The grey list (‘Jurisdictions under Increased Monitoring’) identifies countries with strategic AML deficiencies that have committed to fix them. The black list (‘High-Risk Jurisdictions subject to a Call for Action’) includes countries like North Korea and Iran — effectively barred from mainstream finance. Transacting with these jurisdictions triggers EDD.

(1) Placement — introducing dirty cash into the financial system. (2) Layering — creating complex transaction chains to obscure the origin. (3) Integration — reintroducing the now-clean funds into the legitimate economy. KYC primarily disrupts placement and layering.

Money laundering hides the illegal origin of funds. Terrorist financing can use legal funds (donations, business revenue) directed at illegal purposes. Screening approaches overlap, but CFT relies more heavily on sanctions lists and pattern detection of small, targeted transfers.

The natural person who ultimately owns or controls a customer — typically 25%+ ownership (FATF threshold) or significant control via voting rights, board appointments, or agreements. For trusts, it’s the settlor, trustee, protector, and named beneficiaries.

A PEP is an individual entrusted with a prominent public function — heads of state, senior politicians, military officers, judiciary, senior executives at state-owned enterprises. Family members and close associates (RCAs) are also treated as PEPs. PEPs require EDD and senior management approval.

Foreign PEPs (always high-risk) hold public positions in foreign jurisdictions. Domestic PEPs hold positions in the same country as the bank. International organisation PEPs work at bodies like the UN, IMF, or World Bank. Most jurisdictions apply stricter rules to foreign PEPs.

Most jurisdictions apply a ‘declassification period’ of 12–24 months, but risk does not automatically disappear. Best practice: maintain PEP status until risk assessment shows residual influence, corruption proceeds, or network ties have dissipated. Some banks retain PEP status indefinitely for high-risk jurisdictions.

SoF is the origin of the specific funds being deposited or invested (salary, business revenue, property sale, loan). SoW is the origin of the customer’s total net worth built over their lifetime (inheritance, business, investments, career earnings). SoW matters most for HNW and PEP customers.

Payslips, bank statements, employment letters, business financials, property sale agreements, share sale contracts, dividend statements, inheritance documents, and tax returns. The documents must be recent, in the customer’s name, and consistent with the declared amount.

Systematic monitoring of news sources, regulatory databases, and investigative journalism for negative information about customers — fraud, corruption, sanctions evasion, tax evasion, environmental violations, human rights abuses. Triggers enhanced review when matches are found.

Screening customers and counterparties against sanctions lists maintained by OFAC (US), UN, EU, UK OFSI, HM Treasury, and others. Sanctions breaches carry the most severe penalties in compliance — Standard Chartered paid $1.1B in 2019 for sanctions violations.

Any entity owned 50% or more (directly or indirectly, individually or aggregate) by a sanctioned party is itself treated as sanctioned, even if not explicitly listed. This requires you to trace ownership chains and aggregate sanctioned shareholders across the structure.

A score (low/medium/high) assigned to each customer based on: customer type (individual/corporate/PEP), geography, product/service, delivery channel, transaction profile, and industry. CRR drives periodic review frequency, monitoring sensitivity, and approval requirements.

A scheduled re-verification of customer information. Typical frequencies: low-risk = every 3–5 years, medium-risk = every 2–3 years, high-risk = annually, PEP = annually or more frequently. Triggered outside schedule by material changes (PEP status, adverse media, transaction pattern shifts).

An event that forces re-verification outside the normal cycle: a customer becoming a PEP, change in UBO, adverse media hit, significant transaction anomaly, change in Nature of Business, expired documents, or regulatory inquiry.

NOB is a specific description of what a corporate customer actually does — not just its industry code. A vague NOB (‘general trading’) is a red flag; a precise NOB (‘frozen seafood export to EU retailers’) allows you to benchmark expected transaction patterns.

Identification is collecting the customer’s information (they say their name is X). Verification is confirming it is accurate using independent, reliable sources (checking the passport against the issuing government’s registry).

SAR is the US term under BSA, filed with FinCEN. STR is used in most other jurisdictions (UK FCA, India FIU-IND, UAE GoAML, Canada FINTRAC). Both are filed when there is reasonable suspicion of money laundering or other financial crime.

A US-specific report filed with FinCEN for any cash transaction exceeding $10,000 in a business day. Unlike a SAR, it is not based on suspicion — it is a threshold-based disclosure. Structuring to avoid the CTR threshold is itself a federal offence.

Breaking a large transaction into multiple smaller ones to avoid reporting thresholds. Example: nine deposits of $9,500 each instead of one $85,500 deposit. It is itself a predicate crime under the BSA, even if the underlying funds are legal.

Most jurisdictions require retention for at least 5 years after the customer relationship ends. In the US (BSA) it’s 5 years; in the UK (MLR 2017) it’s 5 years; in the EU (6AMLD) it’s 5 years with an option up to 10. UAE and Singapore follow the 5-year minimum.

(1) Designated AML officer, (2) written policies and procedures, (3) independent testing (audit), (4) ongoing training, (5) CDD and beneficial ownership (the ‘fifth pillar’ added by FinCEN’s 2016 CDD Rule).

Regulators — FCA, FinCEN, FINTRAC, DFSA, MAS — conduct on-site and desk-based examinations. Unavailable, disorganised, or incomplete files are a direct audit finding. Inability to produce a customer file within a defined period (often 24-72 hours) can itself trigger enforcement.

When any of the following are present: (1) the customer is a PEP or RCA, (2) customer is from a high-risk jurisdiction, (3) customer is a cash-intensive business, (4) adverse media is identified, (5) the customer operates through complex or offshore structures, (6) there is unusual activity inconsistent with declared profile.

(1) More detailed SoF/SoW verification, (2) senior management approval before opening, (3) shorter review cycles, (4) lower transaction alert thresholds, (5) enhanced ongoing monitoring, (6) in-person meetings where feasible, (7) independent corroboration of declared information.

Layer multiple sources: (1) career history — employment letters, senior role certifications, board memberships; (2) business wealth — company financials, sale/exit documentation; (3) investment wealth — portfolio statements, dividend records; (4) inherited wealth — will copies, probate documents; (5) property wealth — title deeds. No single document is sufficient.

Request the full ownership chart. Work top-down from the customer entity — list each shareholder, check ownership percentage, continue up until you reach natural persons holding 25%+ (direct or indirect). Apply aggregation rules for related parties. Document control paths separately from ownership paths — sometimes control exists without ownership.

Map settlor, trustee, protector, and named/class beneficiaries. For discretionary trusts, identify classes of beneficiaries and the actual distributions received. Request the trust deed, letter of wishes (where available), and distribution history. Professional trustees must themselves be due-diligenced.

25% is a floor, not a ceiling. You must also identify parties with ‘control’ below 25% — via voting agreements, board appointments, veto rights, or family-linked aggregate holdings. Most regulators explicitly state that mechanical 25% application is a compliance failure.

Circular structures are themselves a red flag. Escalate immediately. Determine where real cash/economic benefits flow — this usually exposes a natural person outside the loop who holds a minority stake with effective control. Document the rationale and obtain senior approval before onboarding.

Verify: (1) partnership agreement, (2) registration/incorporation certificate, (3) list of partners with ID/address proof, (4) authorised signatories, (5) NOB, (6) SoF, (7) expected transaction profile, (8) UBO where a partner is itself a corporate entity. Partners with 25%+ interest are UBOs.

NPOs carry elevated CFT risk per FATF Recommendation 8. Verify: registration with charity regulator, governing documents, trustee/director list, funding sources, recipient geographies, program activities, audited accounts. Scrutinise cross-border transfers to conflict zones.

Apply CDD per FATF Recommendation 13: verify respondent’s AML program, licences, regulatory supervision, senior management, business nature, and respondent’s own correspondent relationships (nested correspondent is high-risk). Payable-through accounts require full beneficiary-level transparency.

(1) Wallet address screening against OFAC/sanctioned wallets, (2) Travel Rule compliance (FATF R16), (3) on-chain forensics, (4) mixer/tumbler usage detection, (5) custody vs non-custody model affects obligations.

Under FATF Recommendation 16, VASPs must transmit originator and beneficiary information (name, address, ID, wallet) with any virtual asset transfer above the threshold (typically $1,000 or €1,000). Non-compliance means the transfer is considered unverified and high-risk.

Red flags: no employees, no physical office, no operational history, complex ownership, registered in secrecy jurisdictions. Legitimate uses exist (holding companies, SPVs). Verify: genuine business purpose, independent financial statements, contracts with third parties, asset holdings, and whether directors are genuine vs nominees.

(1) Same individual serving as director across dozens of unrelated companies, (2) directors employed by corporate service providers, (3) P.O. Box addresses, (4) directors with no visible business background, (5) declaration-of-trust documents in ownership chain, (6) director willing to sign without asking business questions.

Use multiple sources: FATF lists, Basel AML Index, Transparency International CPI, EU high-risk third-country list, OFAC sanctions geography, your own bank’s country risk matrix. A customer’s residence, operations, transaction counterparties, and source of funds jurisdictions all count.

Cash businesses (casinos, money service businesses, car washes, restaurants, art/gold dealers) can obscure the true origin of funds. Red flags include revenue inconsistent with industry norms, unexplained multi-location deposits, and inability to reconcile cash to customer receipts. Apply enhanced monitoring and periodic on-site review.

Trade-based money laundering via over/under-invoicing, phantom shipments, multiple invoicing, and false descriptions of goods. KYC must verify: actual goods, shipping documents, end-to-end counterparties, historical trade patterns, and alignment between declared NOB and observed trade flows.

Verify the minor’s ID (birth certificate, passport), the guardian’s ID, the legal basis for the arrangement (court order, parental authority, trust deed), and the actual source of funds — funds almost always come from adults, who must themselves be fully KYC’d.

Verify incorporation and licensing, evaluate business model plausibility, review customer/counterparty contracts, check domain registration age and reputation, assess tech infrastructure (hosting, payment processor), and cross-check employee LinkedIn footprints. A legitimate virtual business leaves verifiable digital traces.

Periodic review is scheduled re-verification of the customer profile itself. Ongoing monitoring is continuous review of transaction activity against profile. One looks at ‘who they are,’ the other at ‘what they’re doing.’ Both are required — missing either creates a material control gap.

(1) The specific decision made (approve, EDD, decline, SAR), (2) the evidence relied upon, (3) the risk factors considered, (4) any open concerns and mitigants, (5) senior approval where required, (6) the date and the analyst’s name. A good note lets a reviewer two years later understand exactly why the decision was made.

Do not approve. State the specific missing items, the risk it creates, and the regulatory basis. Escalate to your team lead and, if pressure continues, to the MLRO or Head of Compliance. Independence of the KYC function is a regulatory expectation — caving to commercial pressure is a personal career and regulatory risk.

Verify listing status on a recognised exchange (often allows SDD), collect annual report, board/director list, major shareholders above the disclosure threshold, regulatory filings, and confirm no sanctions/adverse media. Private subsidiaries of listed entities require fuller CDD.

SoF is ‘where the $5M being deposited came from’ — typically recent business sale proceeds or dividends. SoW is ‘how the customer accumulated $50M total net worth over 20 years’ — founder equity, company valuation, accumulated dividends, property gains. SoW must reconcile to known career and investments.

Verify the subsidiary’s own incorporation, directors, UBOs, and local business activity — then extend up the chain to the parent. Sanctions and adverse media screening must cover the full group. If the parent is in a high-risk jurisdiction, the subsidiary inherits elevated risk even if locally compliant.

Do not clear it mechanically. Compare secondary identifiers: DOB, nationality, address, place of birth, occupation, family members. Use name-matching confidence thresholds. If any secondary identifier aligns, treat as probable match — escalate to Sanctions Officer and hold the account/transaction. Document the full rationale either way.

A false positive is a sanctions or PEP screening alert that, on investigation, does not match the real customer. Managing volume: tune matching algorithms, use secondary identifiers, maintain a ‘known cleared’ list with review cycles, and invest in quality screening tools.

The customer becomes a PEP-by-association (Relative or Close Associate) at the moment of the uncle’s appointment. Immediately reclassify to high-risk, obtain senior management approval to continue the relationship, commission EDD refresh including SoW update, and move to enhanced ongoing monitoring.

Yes in most definitions — FATF specifically includes senior government officials, judges, senior military, and senior executives of state-owned enterprises. The elected/unelected distinction matters less than the level of authority and access to public resources.

Relatives: spouse, children, parents, siblings, in-laws (scope varies by jurisdiction). Close associates: business partners in joint ownership, persons with sole beneficial ownership of a legal entity known to be for the PEP’s benefit, individuals with close professional relationships. Apply the same EDD standards as the PEP.

Treat as international organisation PEP — most jurisdictions apply the same EDD standards as foreign PEPs. Obtain senior approval, verify SoW, and apply enhanced monitoring. Employment letters alone are insufficient given the diplomatic immunity context.

Investigate before clearing. Many sanctioned individuals use name variants; same nationality raises the probability materially. Check DOB, place of birth, other identifiers, photograph if available. If unable to exclude definitively, hold and escalate to Sanctions Officer — do not clear on middle-name alone.

(1) Verify the source credibility, (2) identify the nature of allegations, (3) determine stage (preliminary inquiry vs formal charge vs conviction), (4) check official regulator/court websites for corroboration, (5) review the customer’s own disclosure. Escalate to senior compliance for risk rating and relationship decision.

Prioritise: (1) established news outlets (Reuters, Bloomberg, FT, WSJ), (2) regulatory/court records, (3) government announcements. Lower weight: single-source blogs, anonymous posts, social media. Tier findings by severity and relevance.

Use professional translation or screening tools with local-language coverage. Regional coverage is critical — many high-value adverse-media findings appear only in local-language outlets (Spanish, Mandarin, Arabic, Russian). English-only screening is a material control gap for international customers.

Clear indicators: (1) credible evidence of ongoing financial crime, (2) conviction for AML/CFT offences, (3) sanctions inclusion of customer or UBOs, (4) regulatory debarment from financial services, (5) inability to rebut or mitigate serious allegations. Document the exit rationale; file SARs as appropriate.

Primary sanctions bind US persons and transactions touching US jurisdiction (USD clearing, US tech, US nexus). Secondary sanctions extend to non-US persons — they risk losing access to the US financial system if they transact with certain sanctioned parties. Compliance must consider both.

Sanctions that target specific sectors (energy, defence, finance) or specific activities (new debt/equity issuance) rather than the entity entirely. Complex to operationalise — you may transact with a sectorally-sanctioned entity for permitted activities but be barred from others. Requires granular product/service-level controls.

A sanctioned party uses intermediaries in non-sanctioned jurisdictions to access the global financial system. Red flags: unusual use of ‘transit’ jurisdictions, routing inconsistent with economic logic, third-party payments where the beneficial customer is actually sanctioned. Trade-based evasion is a major typology.

Strong red flags for sanctions evasion and trade-based laundering: (1) the use of Country B as a shell intermediary, (2) exact-threshold invoicing to avoid scrutiny, (3) pre-existing Country A exposure. File internal alert, freeze pending review, escalate to Sanctions Officer and MLRO.

Only within the strict scope of the licence. You must: (1) verify the licence is current and applies to the specific transaction, (2) ensure all parties named in the licence are correctly identified, (3) document reliance on the licence in the customer file, (4) monitor for scope deviation. Escalate doubts to Sanctions Officer.

The subsidiary inherits jurisdictional risk regardless of its local operations. Apply full EDD, verify independence of funding flows, scrutinise parent-subsidiary transactions, obtain senior management approval, and apply quarterly review cycles. Many banks decline these relationships outright.

Use automated screening tools that refresh against commercial PEP databases (Dow Jones, LexisNexis, Refinitiv World-Check) on a scheduled basis — daily for high-risk populations, weekly/monthly for lower-risk. Alert on new PEP status, new adverse media, or changes in existing entries.

Assess residual risk: (1) ongoing influence, (2) wealth still tied to PEP tenure, (3) ongoing business with government counterparties, (4) family members still in office. If residual risk is low, some jurisdictions permit declassification; document the decision with senior approval. High-corruption-country PEPs are rarely declassified.

(1) Coverage (geographies, roles, RCAs), (2) update frequency, (3) source transparency, (4) false-positive rates, (5) integration with your screening platform, (6) ability to tune matching rules, (7) language coverage, (8) auditability. Most tier-1 banks use two vendors for redundancy.

(1) Ask SoF — payslip, business receipts, property sale. (2) Cross-check declared occupation and expected transaction profile. (3) Document the rationale. (4) If US-based, file a CTR (>$10K threshold). (5) If explanation is weak or inconsistent, file an SAR and consider relationship decline. Cash deposit alone is not suspicious — unexplained cash is.

Classic structuring pattern to evade the $10K CTR threshold. File an SAR regardless of whether the underlying funds are legal — structuring is itself a predicate crime. Freeze pending investigation, obtain SoF explanation, and consider closure.

(1) Transaction wildly inconsistent with profile, (2) shell company counterparty, (3) tax-haven jurisdiction, (4) no prior SoF declaration for this amount. File internal alert, freeze the funds, request SoF explanation, consider SAR and relationship closure.

Request: (1) will copy (certified), (2) probate or letters of administration, (3) death certificate of testator, (4) correspondence from the estate solicitor, (5) evidence of testator’s wealth (SoW), (6) if assets were from a non-domestic estate, equivalent legal documents. Verify names, amounts, and timing reconcile.

Verify: (1) corporate UBOs (drill through to natural persons), (2) SoF for the $2M, (3) actual end-use of the property, (4) consistency with business purpose, (5) independent corroboration of corporate operations. UK regulators specifically flag property via corporate vehicles as high-risk.

Request: (1) tournament winnings records, (2) casino/operator payout statements, (3) tax filings in relevant jurisdictions, (4) bank statements showing winnings receipts, (5) historical consistency. Cross-check against public tournament records. Gambling wealth is plausible but requires strong documentation.

(1) Share purchase agreement (redacted if necessary), (2) public announcement or filing of the acquisition, (3) cap table confirming the founder’s equity share, (4) proceeds confirmation (bank statement or escrow release), (5) tax filings. Verify named acquirer and transaction exist via press/SEC filings.

Remains a PEP. Apply full EDD: SoW reconstruction across the full tenure, family wealth mapping, property portfolio verification, adverse media deep-dive. Senior management and MLRO approval. Some banks decline outright.

Charities do not have ‘owners’ — identify controllers instead: trustees, directors, settlor-equivalents, major donors. Screen each for PEP/sanctions/adverse media. Verify charity registration, audited accounts, recipient geographies (especially conflict zones), and donation patterns.

High-risk for sanctions evasion. Request: (1) port call records, (2) emergency documentation, (3) cargo manifests during visits, (4) vessel tracking data (AIS). Verify each ’emergency’ stands up to scrutiny. Repeated incidents suggest deliberate evasion — escalate to Sanctions Officer, consider closure.

(1) Blockchain forensics via Chainalysis/Elliptic/TRM — trace exposure degree (direct vs indirect), (2) time elapsed, (3) transaction volumes, (4) whether a mixer was used. Direct exposure = hold and consider SAR. Indirect exposure via multiple hops is more ambiguous — document risk assessment, apply enhanced monitoring.

Map the entire chain on an ownership diagram. At each layer: document ownership %, control rights, jurisdiction. Drill to natural persons. Verify each offshore jurisdiction against your risk matrix. Complex structures are not illegal — but legitimate businesses rarely need 6 layers. Require plausible commercial rationale.

Fund A and Fund B (both <25% each standalone, but need scrutiny if same economic group). Family Trust (40%): identify settlor, trustee, beneficiaries — the trust settlor/major beneficiaries are likely UBOs. Apply the control test: aggregate related-party holdings, check voting arrangements.

Strong sanctions evasion risk. Freeze pending review. Request: (1) underlying consulting contract, (2) scope of work, (3) deliverables, (4) consultant’s own business activity. Verify contract is real and specific. Vague descriptions + sanctioned-country counterparty = near-certain file an SAR and close the relationship.

Deep SoF verification required. Request: (1) brokerage statements showing positions and gains, (2) tax filings reflecting capital gains, (3) cost basis of the investments, (4) timeline consistency. Weak documentation = file SAR, consider closure.

Classic trade-based money laundering red flag. Request shipping documents, customer contracts, and warehouse subcontracting agreements. Conduct on-site visit if possible. Verify invoices reconcile to actual goods via third-party logistics data. Inability to corroborate physical operations = file SAR.

Treat the fund as the customer; its General Partner and Investment Manager are the controlling parties. LPs are not typically treated as UBOs unless they hold 25%+ of the fund. Request: fund’s PPM, GP/LP split, major LPs, fund regulator. Apply EDD to the GP.

Legal entity customers must identify and verify beneficial owners at account opening. Four-prong requirement: (1) identify customer, (2) verify identity, (3) identify beneficial owners (25%+ ownership + 1 control person), (4) understand nature and purpose of the relationship. It became the ‘fifth pillar’ of BSA/AML.

6AMLD harmonised AML law across member states and (1) defined 22 predicate offences, (2) extended liability to legal persons, (3) increased penalties, (4) tightened UBO registers, (5) enhanced cross-border cooperation. In force since December 2020 for member states, June 2021 for regulated entities.

A named senior individual accountable for the firm’s AML/CFT compliance. Responsibilities: reviewing internal SAR/STR submissions, filing with the regulator, serving as liaison with authorities, overseeing the AML program, and reporting to the board. FCA-regulated firms must have a designated MLRO.

A US PATRIOT Act provision that allows financial institutions to voluntarily share information with each other to identify and report potential money laundering or terrorist financing, with safe-harbour protection from liability. Firms must first register with FinCEN. Use is tightly controlled and documented.

Independent testing (audit) is one of the BSA/AML pillars — an objective evaluation of the AML program’s effectiveness. It must be performed by personnel not involved in AML operations (typically Internal Audit, or an external firm for smaller institutions). Findings are reported to the board. Annual or risk-based frequency.

(1) Role-specific content, (2) current typologies and red flags, (3) regulatory updates, (4) escalation procedures, (5) case studies, (6) testing/assessment, (7) documented completion records. FATF expects training frequency to reflect risk — at minimum annually, more often for high-risk functions.

(1) Self-assess the AML program against regulatory expectations, (2) ensure KYC files are organised and retrievable, (3) document the risk-based approach and supporting evidence, (4) run mock interviews with compliance staff, (5) pre-emptively identify and remediate known weaknesses, (6) prepare governance papers showing board oversight.

Analyst: accurate file-building, attention to detail, adherence to procedure, timely escalation. Senior analyst: independent judgment on marginal cases, coaching juniors, quality assurance. Manager: governance, risk framework oversight, stakeholder management with front office and auditors, regulator-facing communication, resourcing, and strategic program uplift.