The AML KYC Onboarding Lifecycle Process Flow – 2017-2018 Guide and Overview

With a few exceptions, the AML KYC onboarding lifecycle involves five distinct phases that are listed and explained below:

  • Customer Identification Program (CIP)
  • Customer due diligence (CDD)
  • Enhanced due diligence (EDD)
  • Account opening
  • Annual review

We also touch on new Bank Secrecy Act (BSA) regulations that will be enforced by OFAC effective May 2018.

Below is the full KYC AML process flow explained in detail.

Customer Fills Out an Application

After a prospective customer (individual, trust, or business entity) agrees to open an account and engage in a relationship with a bank or non-bank financial institution, the front office, sales, or relationship manager initiates the anti-money laundering/know-your-customer process.

Depending on the structure of the bank or non-bank instituion, the KYC/AML Review Team or the compliance department conducts the know-your-customer screening.

Customer Identification Program (CIP) Phase: KYC AML BSA Process 

Initiating the AML KYC process involves a notification (normally automated) being sent to the AML (or related KYC) group, alerting it to commence the AML review process.

This is part of what is known as the customer onboarding process. 

The first phase of the AML review process is the Customer Identification Program (CIP), which involves collecting and verifying the new customer's information. 

As mandated by FinCEN (Financial Crimes Enforcement Network), all financial institutions are required to have a written and well-documented Customer Identification Program (CIP) incorporated into their AML compliance program. FinCEN is the department of Treasury's watch dog that is responsible for protecting the financial system "from illicit use and combating money laundering through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities".

At a minimum, the following customer information will be collected as part of the KYC process:

  1. Customer Name, Business or Legal Entity Name
  2. Address
  3. Date of Birth (for Individuals)
  4. Identification Number


If the customer is an individual, then the person's physical residential address needs to be validated (United States Postal Office boxes (P.O. boxes) are not accepted). If the individual does not have a physical residential address he or she can provide any of these:

  • Military Post Office box number
  • Fleet Post Office box number
  • Residential or business street address of the next of kin

If the customer is a non-individual (“business entity”), then the address can be:

  • Principal place of business
  • A local office
  • Other physical location (e.g., an agent's office)

Identification Number

  • For a U.S. person this will typically be the social security number, the Taxpayer Identification Number (“TIN”), or Individual Taxpayer Identification Number (“ITIN”)
  • For non-U.S. person this will be a passport number and country of issuance, an Alien Identification Card number, or a number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph.

If the customer is a non-individual (“business entity”): 

  • For a U.S. legal entity, this will typically be an Employer Identification Number (“EIN”) from a legal registration document
  • If a foreign business does not have an identification number, an alternative government issued document certifying the existence of the business must be obtained or validation via a government sponsored source or other reliable source. 

It is general practice across the financial industry for firms to maintain the identification information received from the customer at account opening for a period of five years after the account closes (loan is paid off, sold, or transferred). 

Examples of Documentary Verification

Valid ID

All forms of identification used to verify identity must be original and current, as well as include a clear photograph of the customer that clearly resembles the customer.

Expired identification documents are unacceptable. The following are valid forms of identification:

  • Valid state driver’s license with photograph
  • Valid state non-driver’s license with photograph
  • Work ID with photograph
  • Student ID with photograph
  • Military ID with photograph
  • Military dependent’s ID with photograph
  • Department of Public Welfare ID with photograph
  • Medicare Card with photograph
  • U.S. Passport with photograph

Valid ID – Not a U.S. Citizen

In addition to the identification listed above, the following forms of identification are acceptable for customers who are not citizens of the United States:

  • Non-U.S. passport with photograph (check OFAC's consolidated list before accepting a foreign passport for identification to ensure the country issuing the Non-U.S. Passport is not on the OFAC sanctions list)
  • Resident alien card

Address Mismatch

For certain individuals where the address on the application doesn’t match the address on the identification or the last name on the application doesn’t match the last name on the identification, financial firms will often request another form of identification, such as a utility bill or marriage license to verify the identity.

Your firm should require additional identification if:

  • The customer's photo identification is unclear
  • The signature on the identification does not match the signature on the signed documents
  • The driver’s license or state identification card was recently issued
  • The address on the application does not match: (a) the address provided by the customer or (b) the address on the identification card
  • Any other reason that your firm deems necessary

CDD: AML KYC Process Flow

After CIP, the next phase in the AML KYC Onboarding lifecycle process is the customer due diligence (CDD) phase, which involves assessing the client or customer to determine whether that person or company should be given a low, medium, or high-risk AML rating.

During CDD the customer is also screened against PEP lists and OFAC's sanctions lists. Click here to search OFAC's consolidated (SDN & Non-SDN) database:

Or click below to search individual OFAC databases

Based on various factors (type of business, source of income, source of weath, expected cash transactions, location of resident, location of business, and other ratings criteria), the customer can be classified as a low risk, moderate rate, or high risk customer.

* Risk Assessment Score Legend

EDD Process (Enhanced Due Diligence) 

In cases where a client is deemed to pose a higher than accepted risk, the case is escalated to the chief AML officer or a designee in a process known as enhanced due diligence (EDD). EDD is the third phase in the AML KYC process flow.

When performing EDD, follow the below industry best practices and new regulatory requirements.

(1) EDD on High Risk Entities

When conducting EDD on high risk entities, you will need to identify all beneficial owners of each legal entity customer at the time of account opening unless an exclusion or an OFAC exemption applies to the customer or account. 

Legal entity customers include the following entities created by a filing with a state office or with a Secretary of State:

  • corporations
  • limited liability companies
  • limited partnerships
  • general partnerships
  • business trusts
  • any other entity created by a filing with a state office
  • any similar entities formed under the laws of a non-US jurisdiction

Effective May 11, 2018, OFAC will require all banking and non-banking firms that are subject to BSA to identify and verify the identity of beneficial owners of legal entity customers at the time the customer opens a new account, as well as develop risk profiles and conduct ongoing monitoring of these customers. This will be done irrespective of whether the customer is rated a high risk, moderate risk, or low risk. 

Click here to read more: U.S. Federal Register Announcement on New BSA/AML Rule, or see below:

"As with CIP for individual customers, covered financial institutions must collect from the legal entity customer the name, date of birth, address, and social security number or other government identification number (passport number or other similar information in the case of foreign persons) for individuals who own 25% or more of the equity interest of the legal entity (if any), and an individual with significant responsibility to control/manage the legal entity at the time a new account is opened."

(2) EDD on High Risk Individuals

For individuals that are rated high risk, see below on conducing EDD.

As specified by the Board of Governors of the Federal Reserve System, when conducting EDD, financial firms should review the below elements during the onboarding phase and also throughout the life of the relationship:

Click here for more information on performing EDD on high risk individual clients: Enhanced Due Diligence Process for High Risk Clients.

Open Account or Deny Application

Only after CDD/EDD has been approved, should an account be opened in accordance with financial regulations and requirements. Account opening is the final phase in the KYC Onboarding lifecycle process flow. In the event that the application poses too much of an acception risk, then the next process is for the chief AML lead or compliance lead to reject the application.

Annual AML/BSA Review

AML review does not end after onboarding a client. Depending on the risk classification of the client, there has to be ongoing/annual review of the client's transactional activities. For high risk clients, the average process is to conduct once a year or twice a year review. For low to mid risked clients, conduct a review every 1-3 years. Most firms review such clients every 1-2 years for medium risk, and every 2-3 years for low risk.

If you would like AdvisoryHQ to develop a highly detailed AML KYC program for you or your client, click here to contact us and request a quote.

See Also:


AdvisoryHQ (AHQ) Disclaimer:

Reasonable efforts have been made by AdvisoryHQ to present accurate information, however all info is presented without warranty. Review AdvisoryHQ’s Terms for details. Also review each firm’s site for the most updated data, rates and info.

Note: Firms and products, including the one(s) reviewed above, may be AdvisoryHQ's affiliates. Click to view AdvisoryHQ's advertiser disclosures.