The KYC AML Policy, Documents, Process – Guide and Overview 

It’s no surprise that financial crimes such as money laundering and identity theft are prevalent in the financial industry. This is why the adoption of anti-money laundering regulations (aka AML) and know your customer (KYC) processes have been necessary.

While KYC and AML go hand in hand, they are two distinct areas of the bank and financial institution security.

AML policy covers safeguards to help prevent money laundering and terrorist financing. One of those safeguards being to ensure the identity of the person completing the financial transactions. This is described as: know your customer.

A KYC check refers to verifying that the information provided about a person is legitimate and evaluating the risks of doing business with them.

With a few exceptions, the AML KYC onboarding lifecycle involves five distinct phases that are listed and explained below:

  • Customer Identification Program (CIP)
  • Customer due diligence (CDD)
  • Enhanced due diligence (EDD)
  • Account opening
  • Annual review

In this article regarding AML KYC compliance and KYC documents, we’ll also touch on the more recent Bank Secrecy Act (BSA) regulations initiated in May 2018 relating to customer due diligence and beneficial ownership.

Below is the full KYC AML process flow – which can include things like a KYC form, electronic KYC check, and applicant risk rating – explained in detail.

aml kyc

AML KYC Details

Customer Fills Out a KYC Form

When a prospective customer (individual, trust, or business entity) wants to open an account and engage in a relationship with a bank or non-bank financial institution, the front office, sales, or relationship manager initiates the anti-money laundering regulations with the know your customer (KYC) form.

This is a standard application form where personal information is gathered such as:

  • Name
  • Address
  • Nationality
  • Proof of address & identity

Depending on the structure of the bank or non-bank institution, the KYC/AML Review Team or the compliance department conducts the know your customer screening.

A KYC form can vary slightly between organizations, but all gather the same basic requirements in order to assess a person’s suitability for opening an account. This is the first and, many would argue, most important of the AML KYC documents.

Customer Identification Program (CIP) Phase: KYC AML BSA Process 

Initiating the AML KYC process involves a notification (normally automated) being sent to the AML (or related KYC) group, alerting it to commence the AML review process per KYC requirements.

This is part of what is known as the customer onboarding process. 

The first phase of the AML review process is the Customer Identification Program (CIP), which involves collecting and verifying the new customer’s information and the forms of proof of identity that they provided along with the KYC form.

As mandated by FinCEN (Financial Crimes Enforcement Network), all financial institutions are required to have a written and well-documented Customer Identification Program (CIP) incorporated into their AML compliance program. 

FinCEN is the department of Treasury’s watchdog that is responsible for protecting the financial system from “illicit use, combat money laundering, and promote national security through the strategic use of financial authorities and the collection, analysis, and dissemination of financial intelligence.”

At a minimum, the following customer information will be collected in the KYC documents as part of the KYC process:

  • Customer Name, Business or Legal Entity Name
  • Address
  • Date of Birth (for Individuals)
  • Identification Number


If the customer is an individual, then the person’s physical residential address needs to be validated (United States Postal Office boxes are not accepted). If the individual does not have a physical residential address, he or she can provide any of these:

  • Army Post Office box (APO)
  • Fleet Post Office box (FPO)
  • Residential or business street address of the next of kin

If the customer is a non-individual (“business entity”), then the address provided for KYC details can be:

  • Principal place of business
  • A local office
  • Other physical location (e.g., an agent’s office)

Identification Number

  • For a U.S. person, this will typically be the social security number, the Taxpayer Identification Number (“TIN”), or Individual Taxpayer Identification Number (“ITIN”)
  • For a non-U.S. person, this will be a passport number and country of issuance, an Alien Identification Card number, or a number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph.

If the customer is a non-individual (“business entity”): 

  • For a U.S. legal entity, this will typically be an Employer Identification Number (“EIN”) from a legal registration document
  • If a foreign business does not have an identification number, an alternative government-issued document certifying the existence of the business must be obtained or validation via a government-sponsored source or other reliable sources. 

It is a general practice across the financial industry for firms to maintain the identification information received from the customer at account opening for a period of five years after the account closes (loan is paid off, sold, or transferred). 

Online Accounts

Many banks and other firms and institutions in the financial industry allow customers to open accounts online without needing to appear in person. How do you “know your customer” then?

CIP rules recognize that this is a convenience used in today’s digital age, so they offer flexibility in this area. However, an organization must still adhere to KYC requirements. This may be through the upload of a scanned driver’s license and other necessary verification documents.

know your customer

AML KYC Compliance

Examples of Documentary Verification

Valid ID

All forms of identification used to verify identity must be original and current, as well as include a clear photograph of the customer that clearly resembles the customer.

Expired identification documents are unacceptable. The following are valid forms of identification:

  • Valid state driver’s license with a photo
  • Valid state non-driver’s license with a photo
  • Work ID with a photo
  • Student ID with a photo
  • Military ID with a photo
  • Military dependent’s ID with a photo
  • Department of Public Welfare ID with a photo
  • Medicare Card with a photo
  • S. Passport with a photo

Valid ID – Not a U.S. Citizen

In addition to the identification listed above, the following forms of identification are acceptable for customers who are not citizens of the United States:

  • Non-U.S. passport with photograph (check OFAC’s consolidated list before accepting a foreign passport for identification to ensure the country issuing the Non-U.S. Passport is not on the OFAC sanctions list)
  • Resident alien card

Address Mismatch

For certain individuals where the address on the application doesn’t match the address on their identification or the last name on the application doesn’t match the last name on their identification, financial firms will often request another form of identification, such as a utility bill or marriage license to verify the identity or address.

This gives the individual some flexibility within AML KYC compliance rules to prove they are who they say they are even if there is a mismatch with their identification.

A firm should require additional identification if:

  • The customer’s photo identification is unclear
  • The signature on the identification does not match the signature on the signed documents
  • The driver’s license or state identification card was recently issued
  • The address on the application does not match: (a) the address provided by the customer or (b) the address on the identification card
  • Any other reason that your firm deems necessary

All-in-One Change Management Tools

Top Rated Toolkit for Change Managers.

Get Your Change Management Tool Today...

CDD: AML KYC Process Flow

After CIP, the next phase in the AML KYC onboarding lifecycle process is the customer due diligence (CDD) phase, which involves assessing the client or customer to determine whether that person or company should be given a low, medium, or high-risk AML rating.

During CDD the customer is also screened against PEP (politically exposed person) lists and Office of Foreign Assets Control’s (OFAC) sanctions lists. Click here to search OFAC’s consolidated (SDN & Non-SDN) database:

Or click below to search individual OFAC databases

In this phase of the know your customer process, they’re being evaluated and given a “risk of doing business with” score, which can then be accessed later during a KYC check.

Based on various factors (type of business, source of income/wealth, expected cash transactions, location of resident, location of the business, and other rating criteria), the customer can be classified as a low risk, moderate risk, or high risk.

Some of the basic AML compliance categories for assessing risk include:

  • Customer address and domicile
  • Customer’s business industry
  • Name and type of customer
  • Anticipated types of account activities
  • Foreign or domestic account
  • PEP screening
  • Past financial history

* Risk Assessment Score Legend

anti money laundering regulations

EDD Process (Enhanced Due Diligence) 

In cases where a client is deemed to pose a higher than acceptable risk, the case is escalated to the chief AML officer or a designee in a process known as enhanced due diligence (EDD). EDD is the third phase in the AML KYC process flow.

When performing EDD, follow the below industry best practices and any new regulatory requirements.

(1) EDD on High-Risk Entities

When conducting EDD on high-risk entities according to KYC AML policy, you will need to identify all beneficial owners of each legal entity customer at the time of account opening unless an exclusion or an OFAC exemption applies to the customer or account. 

Legal entity customers include the following entities created by a filing with a state office or with a Secretary of State:

  • corporations
  • limited liability companies
  • limited partnerships
  • general partnerships
  • business trusts
  • any other entity created by a filing with a state office
  • any similar entities formed under the laws of a non-US jurisdiction

One of the newer AML KYC requirements came into effect on May 11, 2018.

The requirement notes that OFAC will require all banking and non-banking firms that are subject to BSA to identify and verify the identity of beneficial owners of legal entity customers at the time the customer opens a new account, as well as develop risk profiles and conduct ongoing monitoring of these customers. This will be done irrespective of whether the customer is rated high risk, moderate risk, or low risk. 

Click here to read more: U.S. Federal Register Announcement on New BSA/AML Rule, or see below:

“As with CIP for individual customers, covered financial institutions must collect from the legal entity customer the name, date of birth, address, and social security number or other government identification number (passport number or other similar information in the case of foreign persons) for individuals who own 25% or more of the equity interest of the legal entity (if any), and an individual with significant responsibility to control/manage the legal entity at the time a new account is opened.”

You can keep up to date with financial industry news and AML KYC details on the OCC news page.

(2) EDD on High-Risk Individuals

For individuals that are rated high risk, see the KYC and AML process below on conducting EDD.

As specified by the Board of Governors of the Federal Reserve System, when conducting EDD, financial firms should review the below elements during the onboarding phase and also throughout the life of the relationship. The know your customer requirement doesn’t stop after the account is opened.

KYC requirements to review for high-risk customers:

  • The purpose of the account
  • Source of their funds and wealth
  • Individuals with ownership or control over the account, such as beneficial owners, signatories, or guarantors
  • Occupation or type of business (of the customer and/or other individuals with account ownership or control)
  • Financial statements
  • Banking references
  • Domicile (where the business is organized or incorporated)
  • The proximity of the customer’s residence, place of employment, or place of business to the bank or other financial institution
  • Description of the customer’s primary trade area and whether there will be routine international financial transactions
  • Description of the business operations, the anticipated volume of currency and total sales, and list of major customers and suppliers
  • Explanations for changes in account activity

Due diligence is ongoing, so the KYC AML process should also be ongoing and banks and other financial entities should take measures to ensure account profiles are current and monitoring should be risk-based.

Banks should consider whether risk profiles need to be adjusted or any suspicious activity reported when activity is inconsistent with the profile.

Click here for more information on performing EDD in accordance with anti-money laundering regulations on high-risk individual clients: Enhanced Due Diligence Process for High-Risk Clients.

Open Account or Deny Application

Only after CDD/EDD has been approved, should an account be opened in accordance with financial regulations and requirements. Account opening is the final phase in the KYC onboarding lifecycle process flow. 

If after completing the process of KYC and AMI evaluation of the customer, the application poses too much of a risk, then the next process is for the chief AML lead or compliance lead to rejecting the application.

Annual AML/BSA Review

As mentioned, the AML review does not end after onboarding a client. Depending on the risk classification of the client, there should be an ongoing/annual review of the client’s transactional activities if you want to properly adhere to the AML KYC process flow.

For high-risk clients, the average process is to conduct a “know your customer” review once a year or twice a year. For low to mid-level risk clients, conduct a review every 1-3 years. Most firms review such clients every 1-2 years for medium risk and every 2-3 years for low risk.

To recap the suggested ongoing review timeframe of your KYC documents and client activities:

  • Low Risk: Every 2-3 years
  • Medium Risk: Every 1-2 years
  • High Risk: Every 6 months to 1 year

kyc process

KYC AML Compliance Help

Conclusion: AML KYC Process Guide

While there are several steps to ensure ALM KYC compliance with the “know your customer” rules and ongoing monitoring, the process is designed to protect those in the financial industry and help prevent money laundering and terrorist funding activities.

For anyone working to meet AML KYC requirements, it can be made easier through the use of a detailed AML KYC strategy.

If you would like AdvisoryHQ to develop a highly detailed AML KYC program for you or your client, click here to contact us and request a quote.

See Also:

AdvisoryHQ (AHQ) Disclaimer:

Reasonable efforts have been made by AdvisoryHQ to present accurate information, however all info is presented without warranty. Review AdvisoryHQ’s Terms for details. Also review each firm’s site for the most updated data, rates and info.

Note: Firms and products, including the one(s) reviewed above, may be AdvisoryHQ's affiliates. Click to view AdvisoryHQ's advertiser disclosures.