Fraud & Compliance / Learning brief
KYC and customer due diligence basics
Your notes
In simple terms / 01
What this means in plain language
Know your customer (KYC) identity checks and customer due diligence (CDD) establish who a customer is, who owns them, and how much risk they carry, before an account opens and throughout the relationship, with screening as one input.
Before a bank lets someone move money, it needs to know who that someone actually is. Know your customer (KYC) is the set of checks that establish and verify a customer's identity: the legal name, date of birth or registration details, address, and, for a company, who ultimately owns and controls it. Customer due diligence (CDD) is the wider judgement built on that identity, understanding what the customer does, why they want the account, and the risk the relationship carries. Identity is verified at onboarding and refreshed over time, while due diligence continues for as long as the relationship lasts. Sanctions and watchlist screening is one input into this picture, not the whole of it: it checks the verified names against lists, but KYC and CDD also weigh geography, product, and expected behaviour. Together they answer a single question, is this customer who they claim, and what risk do they bring?
Complete lesson / 02
Understand the full idea, step by step
Open a bank account today and, before it will hold a single rupee, the bank asks for your name, your date of birth, an address, and a document to prove all three. It can feel like paperwork for its own sake. It is actually the first control in the whole chain of financial-crime defence — and every control that comes after it depends on getting this one right.
What Bank Alfa gathers at onboarding
- Legal identity
- Registered name, registration number, country of incorporation
- People behind it
- Directors and the ultimate beneficial owner(s)
- Purpose
- Nature of business — importing goods — and the activity expected on the account
- Verification
- Checked against reliable, independent sources, not taken on trust
- Screening input
- Verified names run against sanctions and PEP lists
Know Your Customer (KYC) — the identity checks a bank runs before and throughout a relationship
KYC is the work of establishing and confirming who a customer really is. For a person that means a legal name, date of birth, and address, confirmed through documents or electronic verification. For a company it means registration details, the nature of the business, and the people behind it. The standard is not absolute certainty but reasonable satisfaction: the bank must be reasonably satisfied the customer is who they claim to be, using independent evidence rather than the customer's word alone.
Customer Due Diligence (CDD) — understanding a customer's risk, not just their identity
If KYC answers who, customer due diligence answers what and why: what the customer does, why they want the account, where their funds come from, and what activity would be normal for them. The bank assembles this into a customer risk profile. That profile becomes a baseline — the expectation against which later behaviour is compared, so a payment far outside the pattern stands out instead of blending in.
Is screening the same thing as KYC? Both check names against lists.
They are connected but not the same. KYC and CDD establish and understand the customer once; screening is a repeated check that runs the verified names against sanctions and PEP (politically exposed person) lists — at onboarding and again every time the lists change. Screening is one input into due diligence, not the whole of it. Verified identity is what makes screening meaningful: you can only check a name against a list once you are confident the name is real.
How onboarding runs
- CUSTOMER
Asha Traders provides its identifying details: registration, ownership, the nature of its trade, and the account's intended purpose.
- VALIDATION
Bank Alfa verifies those details against reliable, independent sources — a company register, corporate documents — rather than accepting them at face value.
- VALIDATION
The verified names are screened against sanctions and PEP lists, so any match is investigated before the account opens rather than after.
- VALIDATION
The bank builds a risk profile from factors such as geography, product, channel, and customer type, and sets the depth of due diligence to match.
- NOTIFICATION
The decision to accept — and the checks that supported it — are recorded, so the bank can explain afterwards why it took this customer on.
Standard, or something heavier
Due diligence is applied in proportion to risk. Most customers receive standard due diligence. Where the risk profile is higher — an opaque ownership structure, a higher-risk country, a connection to a PEP — the relationship receives enhanced due diligence (EDD), which gathers more information, such as source of wealth, and applies closer attention. The judgement is documented either way, because a risk rating nobody can explain is treated as a weakness even when the number itself looks sensible.
WHAT IF — A year later, Asha Traders' payments no longer match the profile recorded at onboarding — large transfers begin flowing to a country it never mentioned.
What happens: This does not mean a crime has occurred, and the account is not closed on the spot. It triggers an event-driven review: the bank re-examines the customer, seeks an explanation, and refreshes the risk picture.
How it is handled: Due diligence is not a form filed once and forgotten. Alongside these event-driven reviews, customers are re-examined on a periodic cycle set by their risk rating, and screening runs continuously so a newly designated name is caught even when the customer has not changed. Maya's team escalates a concern it cannot resolve rather than closing it quietly.
STRICTLY SPEAKING
Strictly speaking, the precise identification documents, verification methods, and review frequencies are set by the anti-money-laundering regime a bank operates under and by the bank's own policy, so the detail differs between jurisdictions and institutions. What is common everywhere is the shape: identify, verify against independent evidence, understand the risk, and keep the picture current for the life of the relationship.
FOR NOW, REMEMBER
- KYC establishes and verifies who a customer is; CDD turns that identity into an understanding of the customer's risk.
- Screening is one input into due diligence, not a substitute for it — verified identity is what makes a list check meaningful.
- Due diligence is proportionate: most customers get standard CDD, higher-risk ones get enhanced due diligence.
- Due diligence is ongoing — periodic reviews plus event-driven triggers keep the file close to reality, with the reasoning recorded.
TRY IT YOURSELF
Asha Traders was fully verified when its account opened a year ago. Since then its payments have shifted from home-country suppliers to large transfers to a country it never mentioned at onboarding. What does customer due diligence require now?
We said due diligence is applied in proportion to risk. The next lesson opens that up: how a bank actually scores each customer's risk, and what enhanced due diligence adds when the score is high.
KEEP GOINGKey takeaways / 03
Three things to remember
- 01
KYC verifies identity; CDD builds the risk understanding around that identity.
- 02
Due diligence is not a one-time gate, it continues for the life of the relationship.
- 03
Screening checks names against lists, but is only one part of due diligence.
Practical use cases / 04
Where you would use this
An onboarding analyst verifies a new customer's identity documents and beneficial owners before the account is approved.
A relationship manager updates a corporate customer's due-diligence file after a change in ownership or business activity.
A financial-crime team uses the risk picture from CDD to decide how closely to monitor and how often to review a customer.
Worked example / 05
Put the idea into a real situation
Illustrative example: a fictional import business, Harbour Lane Trading Ltd, applies to open an account at a fictional bank, Meridian Trust. Onboarding verifies the company's registration number, confirms two directors and one beneficial owner holding 60% of shares, and screens all four names against sanctions and politically exposed person (PEP) lists with no true match. The customer states an expected monthly turnover of EUR 250,000.00 across 40 transfers. Six months later, incoming volume reaches EUR 900,000.00 across 130 transfers, far outside the stated profile, so the due-diligence file is reviewed and refreshed rather than left to drift.
Evidence & review / 07
Evidence & review
General AML/CFT customer due diligence as framed by the FATF standards; specific documents, methods, and review cycles are set by each jurisdiction's regime and each bank's policy.
What this brief simplifies: Presents a single generic onboarding path. Real programmes differ in required documents, acceptable verification methods, simplified-due-diligence eligibility, and review frequencies; screening and PEP handling are shown at a conceptual level.
Sources for this brief2
- Official requirement
The FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation ↗ — Financial Action Task Force · Recommendation 10 (CDD); Recommendation 12 (PEPs)
Adopted in 2012 and updated regularly since; the June 2025 FATF plenary agreed revisions to Recommendation 16 on payment transparency. Consult the live consolidated text for the current wording.
- Simplified educational illustration
Payments Signal editorial teaching models — Payments Signal · Asha Traders onboarding scenario and the onboarding step sequence
Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.