GLOBAL PAYMENTS KNOWLEDGEISO 20022 / SWIFT / SEPA / MT / MX

Fraud & Compliance / Learning brief

KYC and customer due diligence basics

Your notes

What this means in plain language

Know your customer (KYC) identity checks and customer due diligence (CDD) establish who a customer is, who owns them, and how much risk they carry, before an account opens and throughout the relationship, with screening as one input.

Before a bank lets someone move money, it needs to know who that someone actually is. Know your customer (KYC) is the set of checks that establish and verify a customer's identity: the legal name, date of birth or registration details, address, and, for a company, who ultimately owns and controls it. Customer due diligence (CDD) is the wider judgement built on that identity, understanding what the customer does, why they want the account, and the risk the relationship carries. Identity is verified at onboarding and refreshed over time, while due diligence continues for as long as the relationship lasts. Sanctions and watchlist screening is one input into this picture, not the whole of it: it checks the verified names against lists, but KYC and CDD also weigh geography, product, and expected behaviour. Together they answer a single question, is this customer who they claim, and what risk do they bring?

Understand the full idea, step by step

Open a bank account today and, before it will hold a single rupee, the bank asks for your name, your date of birth, an address, and a document to prove all three. It can feel like paperwork for its own sake. It is actually the first control in the whole chain of financial-crime defence — and every control that comes after it depends on getting this one right.

What Bank Alfa gathers at onboarding

Legal identity
Registered name, registration number, country of incorporation
People behind it
Directors and the ultimate beneficial owner(s)
Purpose
Nature of business — importing goods — and the activity expected on the account
Verification
Checked against reliable, independent sources, not taken on trust
Screening input
Verified names run against sanctions and PEP lists

Know Your Customer (KYC)the identity checks a bank runs before and throughout a relationship

KYC is the work of establishing and confirming who a customer really is. For a person that means a legal name, date of birth, and address, confirmed through documents or electronic verification. For a company it means registration details, the nature of the business, and the people behind it. The standard is not absolute certainty but reasonable satisfaction: the bank must be reasonably satisfied the customer is who they claim to be, using independent evidence rather than the customer's word alone.

Customer Due Diligence (CDD)understanding a customer's risk, not just their identity

If KYC answers who, customer due diligence answers what and why: what the customer does, why they want the account, where their funds come from, and what activity would be normal for them. The bank assembles this into a customer risk profile. That profile becomes a baseline — the expectation against which later behaviour is compared, so a payment far outside the pattern stands out instead of blending in.

Is screening the same thing as KYC? Both check names against lists.

They are connected but not the same. KYC and CDD establish and understand the customer once; screening is a repeated check that runs the verified names against sanctions and PEP (politically exposed person) lists — at onboarding and again every time the lists change. Screening is one input into due diligence, not the whole of it. Verified identity is what makes screening meaningful: you can only check a name against a list once you are confident the name is real.

How onboarding runs

  1. CUSTOMER

    Asha Traders provides its identifying details: registration, ownership, the nature of its trade, and the account's intended purpose.

  2. VALIDATION

    Bank Alfa verifies those details against reliable, independent sources — a company register, corporate documents — rather than accepting them at face value.

  3. VALIDATION

    The verified names are screened against sanctions and PEP lists, so any match is investigated before the account opens rather than after.

  4. VALIDATION

    The bank builds a risk profile from factors such as geography, product, channel, and customer type, and sets the depth of due diligence to match.

  5. NOTIFICATION

    The decision to accept — and the checks that supported it — are recorded, so the bank can explain afterwards why it took this customer on.

Standard, or something heavier

Due diligence is applied in proportion to risk. Most customers receive standard due diligence. Where the risk profile is higher — an opaque ownership structure, a higher-risk country, a connection to a PEP — the relationship receives enhanced due diligence (EDD), which gathers more information, such as source of wealth, and applies closer attention. The judgement is documented either way, because a risk rating nobody can explain is treated as a weakness even when the number itself looks sensible.

WHAT IF — A year later, Asha Traders' payments no longer match the profile recorded at onboarding — large transfers begin flowing to a country it never mentioned.

What happens: This does not mean a crime has occurred, and the account is not closed on the spot. It triggers an event-driven review: the bank re-examines the customer, seeks an explanation, and refreshes the risk picture.

How it is handled: Due diligence is not a form filed once and forgotten. Alongside these event-driven reviews, customers are re-examined on a periodic cycle set by their risk rating, and screening runs continuously so a newly designated name is caught even when the customer has not changed. Maya's team escalates a concern it cannot resolve rather than closing it quietly.

STRICTLY SPEAKING

Strictly speaking, the precise identification documents, verification methods, and review frequencies are set by the anti-money-laundering regime a bank operates under and by the bank's own policy, so the detail differs between jurisdictions and institutions. What is common everywhere is the shape: identify, verify against independent evidence, understand the risk, and keep the picture current for the life of the relationship.

FOR NOW, REMEMBER

  • KYC establishes and verifies who a customer is; CDD turns that identity into an understanding of the customer's risk.
  • Screening is one input into due diligence, not a substitute for it — verified identity is what makes a list check meaningful.
  • Due diligence is proportionate: most customers get standard CDD, higher-risk ones get enhanced due diligence.
  • Due diligence is ongoing — periodic reviews plus event-driven triggers keep the file close to reality, with the reasoning recorded.

TRY IT YOURSELF

Asha Traders was fully verified when its account opened a year ago. Since then its payments have shifted from home-country suppliers to large transfers to a country it never mentioned at onboarding. What does customer due diligence require now?

Nothing — identity was verified at onboarding, and CDD is a one-time check completed at the door.

Not this one — Due diligence continues for the life of the relationship. Treating it as a one-time check is exactly the gap that ongoing CDD exists to close.

An event-driven review: the activity no longer matches the profile, so the bank re-examines the customer, seeks an explanation, and refreshes the risk picture.

Correct — Correct. A file that says one thing while the payments say another is the signal for an event-driven review — calmly, with the reasoning recorded, not a quiet closure and not an accusation.

The account must be closed immediately because the new country was not declared at onboarding.

Not this one — Closure is not automatic. Unexplained change is a reason to review and, if a concern holds, to escalate — not a reason to act before the bank understands what it is seeing.

We said due diligence is applied in proportion to risk. The next lesson opens that up: how a bank actually scores each customer's risk, and what enhanced due diligence adds when the score is high.

KEEP GOING

Three things to remember

  1. 01

    KYC verifies identity; CDD builds the risk understanding around that identity.

  2. 02

    Due diligence is not a one-time gate, it continues for the life of the relationship.

  3. 03

    Screening checks names against lists, but is only one part of due diligence.

Where you would use this

USE CASE 01

An onboarding analyst verifies a new customer's identity documents and beneficial owners before the account is approved.

USE CASE 02

A relationship manager updates a corporate customer's due-diligence file after a change in ownership or business activity.

USE CASE 03

A financial-crime team uses the risk picture from CDD to decide how closely to monitor and how often to review a customer.

Put the idea into a real situation

Illustrative example: a fictional import business, Harbour Lane Trading Ltd, applies to open an account at a fictional bank, Meridian Trust. Onboarding verifies the company's registration number, confirms two directors and one beneficial owner holding 60% of shares, and screens all four names against sanctions and politically exposed person (PEP) lists with no true match. The customer states an expected monthly turnover of EUR 250,000.00 across 40 transfers. Six months later, incoming volume reaches EUR 900,000.00 across 130 transfers, far outside the stated profile, so the due-diligence file is reviewed and refreshed rather than left to drift.

Evidence & review

REVIEWED 2026-07-13

General AML/CFT customer due diligence as framed by the FATF standards; specific documents, methods, and review cycles are set by each jurisdiction's regime and each bank's policy.

What this brief simplifies: Presents a single generic onboarding path. Real programmes differ in required documents, acceptable verification methods, simplified-due-diligence eligibility, and review frequencies; screening and PEP handling are shown at a conceptual level.

Sources for this brief2
  1. Official requirement

    The FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism & ProliferationFinancial Action Task Force · Recommendation 10 (CDD); Recommendation 12 (PEPs)

    The global standards countries implement against money laundering, terrorist financing, and proliferation financing, including targeted financial sanctions and payment transparency under Recommendation 16. · Checked 2026-07-12

    Adopted in 2012 and updated regularly since; the June 2025 FATF plenary agreed revisions to Recommendation 16 on payment transparency. Consult the live consolidated text for the current wording.

  2. Simplified educational illustration

    Payments Signal editorial teaching modelsPayments Signal · Asha Traders onboarding scenario and the onboarding step sequence

    This site's own simplified teaching models. · Checked 2026-07-12

    Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.

Learn this properly

Related briefs

View Fraud & Compliance archive

Customer risk rating and enhanced due diligence

A customer risk rating scores each relationship from factors such as geography, product, channel, and behaviour, and that score decides whether the customer receives standard or enhanced due diligence (EDD) and how often the file is reviewed.

READ BRIEF

The SWIFT KYC Registry

The KYC Registry is a shared platform where banks contribute and consume standardised due-diligence data and documents, so correspondent know-your-customer information is collected once and reused instead of exchanged bilaterally many times over.

READ BRIEF

Screening for politically exposed persons (PEPs)

Politically exposed persons hold prominent public roles that carry higher corruption risk. Screening flags them so a bank applies enhanced due diligence — a deeper, documented review and senior sign-off — rather than the hard payment stop a sanctions match triggers.

READ BRIEF