Know your customer

Know your customer or know your client (KYC)^[1]^[2] laws, regulations and guidelines in financial services require regulated businesses and professionals to verify the identity, suitability, and risks involved with maintaining a business relationship with a customer. These procedures fit within the broader scope of anti-money laundering (AML) and counter terrorism financing (CTF) regulations.

KYC requirements have evolved from simple identity verification into comprehensive risk management frameworks designed to combat illicit financial activity. These procedures enable institutions to further understand their clients' financial behavior, identity, and transactions, and aids in assessing exposure to money laundering and an extensive range of underlying crime, including bribery, corruption, fraud, extortion, human trafficking and drug smuggling.^[3] Information collected by regulated entities as a result of complying with KYC obligations is used to aid law enforcement and national security. In addition to verifying personal or corporate identities, modern KYC standards often include customer and enhanced due-diligence for higher risk clients, ensuring compliance with global inter-governmental standards set out by the Financial Action Task Force since 1989.^[4]

KYC processes are also employed by companies of all sizes for the purpose of ensuring their proposed customers, agents, consultants, or distributors are anti-bribery compliant and are actually who they claim to be. Banks, insurers, export creditors, and other financial institutions are increasingly required to make sure that customers provide detailed due-diligence information. Initially, these regulations were imposed only on the financial institutions, but now the non-financial industry, fintech, virtual assets dealers, and even non-profit organizations are included in regulations in many countries.

Requirements

AML/CFT legislation strengthens the prevention of and the fight against money laundering, its predicate offences and terrorist financing. It places legally binding obligations on sectors exposed to the risk of money laundering or the financing of terrorism to monitor their customers and transactions, and to report suspicious activities to governments.^[5]

In the European Union these sectors are described as obliged entities, whereas in the United States the term covered institutions is used.^[6]^[7]

Obliged entities are required to identify and assess the risks of money laundering and terrorist financing to which they are exposed. This business-wide risk assessment must be kept up-to-date. To manage these risks and comply with relevant AML legislation, obliged entities must have internal policies, procedures and controls in place. This includes applying Customer Due Diligence (CDD) measures and may require Extended Due Diligence (EDD) checks for certain categories of customers or transactions.^[8]

The US Financial Crimes Enforcement Network (FinCEN), a bureau of the US Department of Treasury, which is tasked with safeguarding the financial system from illicit activity, set out the core elements of CDD:

Customer identification and verification,
Beneficial ownership identification and verification,
Understanding the nature and purpose of customer relationships to develop a customer risk profile, and
Ongoing monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information.^[9]

KYC encompasses a set of practices to verify business clients. These include verification of registration credentials, location, the UBOs (Ultimate Beneficial Owners) of that business client, etc. Also, the business client is screened against blacklists and grey lists to check if they are in involved in any sort of criminal activity, e.g. money laundering, terrorist financing or corruption.^[10] KYC is significant in identifying fake business entities and shell companies. KYC protocols for business clients typically include verifying business activities to determine whether they align with a company's risk tolerance. High-risk sectors may include gambling facilities, money services businesses, and adult entertainment industries, among others. KYC service providers such as LexisNexis and Enigma Technologies offer data and ongoing monitoring solutions that enable verification during both initial onboarding and throughout the entire business relationship lifecycle.

The main categories of Know-Your-Customer requirements of CDD, along with the need for additional checks for high risk clients have been set out in the United States in the Financial Industry Regulatory Authority (FINRA) Rule 2090, which states that financial institutions must use reasonable diligence to identify and retain the identity of every customer and every person acting on behalf of those customers.^[11] In enforcing this rule, these organizations are expected to collect all information essential to knowing their customers. Information deemed necessary for enforcing know your customer requirements include the Customer Identification Program (CIP), Customer Due Diligence (CDD), and Enhanced Due Diligence (EDD).^[12] To fulfill the requirements set out by FinCEN in the 2016 CDD Rule, these checks should be supported by an on-going monitoring programme.^[9]

Customer Identification Program

Section 326 of the USA Patriot Act requires banks and other financial institutions to have a Customer Identification Program (CIP). This act requires financial institutions to at minimum, verify the identity of anyone looking to open an account, maintain records of this information, and verify if this person is on the list of known or suspected terrorists that financial institutions are provided by the U.S government. Financial institutions must collect four pieces of identifying information about its customers including:

Name
Date of birth
Address
Identification number

Customer Due Diligence (CDD)

The Bank Secrecy Act, the common name for the Currency and Foreign Transaction Reporting Act of 1970 and its amendments and other statutes, established the customer due diligence (CDD) rule as part of an effort to improve financial transparency and deter money laundering. The CDD rule enhances CDD requirements for "U.S. banks, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers in commodities.^[13]" The CDD rule requires that financial institutions identify and verify the identity of customers associated with open accounts. The CDD rule has four core requirements:^[13]

Identify and verify the identity of customers
Identify and verify the identity of the beneficial owners of companies opening accounts
Understand the nature and purpose of customer relationships to develop customer risk profiles
Conduct ongoing monitoring to identify and report suspicious transactions, and on a risk basis, to maintain and update customer information

Beneficial owner information is required for any individual who owns 25 percent or more of a legal entity and an individual who controls the legal entity.^[13]

Enhanced Due Diligence (EDD)

Enhanced Due Diligence^[14] is required when initial identity checks have been completed and high-risk factors have been identified for an individual or a business. These measures may be needed based upon factors such as the jurisdiction the customer is based in, the products they are using, or the nature of the customer. When these requirements have been met "enhanced" or additional due diligence above and beyond CDD is conducted which identifies the following information:^[14]

Source of wealth and funds check
Additional identity research
Risk identification and assessment
Nature of the client
Details of company background and activities
Director and shareholder information

The formal concept of additional CDD obligations for certain categories of higher risk customers or transactions was established by the USA Patriot Act of 2001.^[15] This established mandatory Enhanced Due Diligence (EDD) obligations. It required US financial institutions to maintain additional rigorous screening for foreign banking accounts, offshore jurisdictions and correspondent banking relationships to combat terrorist financing. FinCEN set out the formal obligations needed to fully implement EDD in a 2007 rule.^[16] Requirements to undertake EDD checks and monitoring for higher risk business relationships, customers and transactions were included in the FATF's Forty Recommendations in 2003.^[17]

The European Union's AML/CFT legislative framework provides an insight into the current scale of EDD obligations. These requirements were established fully by the 4th AML Directive and consolidated into a single central rulebook by the recent 2024 AML Regulation. This requires EDD to be applied in certain specific situations, such as business relationships with Politically Exposed Persons, cross-border correspondent relationships for crypto-asset service providers, or business relationships involving persons in third countries with significant strategic deficiencies in their national AML/CFT regimes. The EU regulation also identifies a series of factors (Risk Factors) that indicate to obliged entities that relationships or transactions may pose a higher risk of money laundering or terrorist financing and hence require the application of EDD obligations, processes and monitoring. Factors include the reputation, nature or behaviour of customers, complex ownership, customer domicile, presence of nominee shareholders, cash-intensive businesses, use of private banking, payments from unknown third parties, use of new technologies, or transactions linked to oil, tobacco, arms, precious metals or stones.^[5]

On-Going Monitoring

One of the core elements of a CDD program, that all entities subject to AML/CFT laws must establish, is an on-going monitoring program. This is a mandatory obligation.

Such programs enable regulated entities to monitor transactions undertaken by customers throughout the course of a business relationship, to ensure that those transactions are consistent with the regulated entity's knowledge of the customer, the customer's business activities as well as information about the origin and destination of funds, and to detect transactions that are deemed suspicious. A regulated entity is required to report transactions to appropriate regulators where it suspects or has reasonable grounds to suspect funds or activities are the proceeds of criminal activity or are related to terrorist financing or criminal activity. Business relationships subject to EDD should in addition be subject to further and more intensive on-going monitoring.^[5]

Scope

Since the adoption of the US Bank Secrecy Act in 1970, the scope of AML laws has expanded significantly. Initially, it was limited: Legal obligations were imposed upon insured depository institutions to identify money laundering, recognising the value of information for tax evasion and criminal activities more generally.^[18]

Over time, these obligations and the sectors which are required to comply with them have expanded. In the United States, covered institutions are now required to identify and report more than 200 Federal and State crimes.^[19] These include drug trafficking, financial crimes (e.g. fraud, embezzlement and market manipulation), crimes of violence (e.g. kidnapping and extortion), organised crime and racketeering (including bribery and illegal gambling), smuggling and trafficking. Since 2001 and the adoption of the USA Patriot Act, covered institutions have also been obliged to identify and report potential terrorist financing. This is described as Counter Terrorist Reporting (CTR).^[20]

US AML/CTR laws now apply to a very wide range of financial institutions. These include traditional banking institutions, money service businesses, securities and commodities entities, casinos and card clubs, insurance companies, cryptocurrency exchanges, lenders, loan companies, telegraph companies, dealers in precious metals, stones or jewels, pawnbrokers, travel agents, real estate agents, vehicle sellers and credit card networks.^[18]

In the European Union, similar legal obligations apply. The list of obligated entities, set out in the recent 2024 Regulation, includes:

Accountants and auditors
Credit institutions
Crowdfunding services
Estate agents
Financial institutions
Gambling services
Investment firms
Investment migration operators
Notaries and lawyers
Persons storing or trading in hig value goods
Professional football clubs and agents
Tax advisors
Trusts^[5]

Problems

De-Banking

The costs for financial institutions of complying with AML/CFT obligations are significant and have contributed to de-banking. Financial institutions close accounts or deny access to financial services to new customers because of AML/CFT rules. Specifically, the costs of KYC compliance checks, the need to manage the potential money laundering or other criminal risks posed by customers. For both existing and new customers, the costs of meeting AML/CFT obligations regularly outweigh the potential benefits for the financial institution.^[21]

The intergovernmental Financial Action Task Force (FATF) identified a series of social problems which have emerged due to de-banking as a result of compliance by financial institutions with AML/CFT obligations. According to their report on the issue, there has been a growth in financial exclusion, particularly amongst the poor, deprived groups, minorities and the elderly and disabled. The FATF also found that financial institutions increasingly removed banking services from Not-for-profit Organisations (NPOs) due to concerns about the source and utilisation of funds, combined with AML/CFT obligations to manage the risk of crime and the cost of resources needed to manage these risks. The FATF pointed out that access to financial services is essential for full participation in modern societies.^[22]

Insights into the scale of the problem of de-banking have been provided by research in the UK. It shows that in 2021-2022, more than 340,000 bank accounts were closed by financial institutions, primarily because of the costs of AML/CFT compliance compared to potential benefits. Customers who face the highest risk of closure include the poor and minorities, the elderly, charities, and small businesses that make large cash deposits or engage in activities in developing economies.^[23]

Abuses of KYC

Financial institutions remove banking services from clients who fail KYC requirements or pose other forms of AML/CFT risks, such as threats to reputation, to ensure compliance with AML/CFT legal requirements. For instance, recent EU legislation states that if a client fails KYC checks, the financial institution must cease the provision of services.^[5] This loss of financial services has a profound impact on individuals or businesses, making it difficult for them to manage their financial affairs and participate in modern society in general. The exploitation of KYC requirements to induce financial institutions to impose these consequences on disfavoured individuals or businesses has provided opportunities for abuse by e.g. politicians, criminals and activists.^[24]^[25]

In the United States, the Obama and Biden administrations used the concept of "reputational risk" as a criterion for assessing bank stability and safety as a means to shut down politically disfavoured businesses, such as payday lenders, pawn shops, gun shops and tobacco shops.^[26] In this instance, "reputational risk" was taken to mean a view that an outside stakeholder might hold about the conduct of a financial institution in providing services to such industries. Recent regulation introduced by the Office of the Comptroller of the Currency of the US Treasury now prohibits the use of such as a test.^[27] However, as of today it remains part of the EU's AML/CFT regulatory model.^[5]
Other governments have also abused KYC requirements for their own agenda. For example, the governments of the United Arab Emirates, Turkey and Nicaragua took action to label political opponents as terrorists to make sure that their names were identified by compliance software. This led to the removal of banking services due to failed KYC checks.^[28]
Criminals, especially blackmailers and extortionists, are known to threaten individuals and businesses with releasing falsified information to trigger KYC failures.^[29]^[30] Disinformation websites posing as credible news platforms are used to publish such content, which has been made easier to create with the progress of AI technology.^[31]^[32]
In the UK, politician Nigel Farage was de-banked by Coutts & Company because of concerns, expressed in internal documents by activist staff, about his political opinions.^[33]

Know your customer's customer

Know your customer's customer (KYCC) is a process that identifies a customer's customer activities and nature. This includes the identification of the customer's customers and assessing the risk levels associated with their activities.^[34]

KYCC is a derivative of the standard KYC process that arose because of the growing risk of fraud obscured by second-tier business relationships (e.g. a customer's supplier).^[34] Such relationships include correspondent banking services. The need to manage the risks posed by these relationships was highlighted by the Financial Actions Task Force (FATF) in 2016.^[35] The importance of taking appropriate steps to understand potential risks posed by second-tier business relationships was highlighted by the Danske Bank money laundering scandal. More than $200 billion in suspicious non-resident funds flowed through the Danske Bank's Estonian branch from 2007 to 2015.

In the USA, FinCEN does not set out formal KYCC obligations, but these are mandated directly through the requirements of the CDD Final Rule. This obliges financial institutions to perform comprehensive due diligence, which requires, where appropriate, understanding of the source of funds and nature of customer's underlying business activities and is of particular relevance for e.g. money service businesses and payment processors.^[9] KYCC regulations are also required for correspondent banking through the application of the FinCEN 2007 EDD rule.^[16]

KYCC is not just an issue of legal compliance, financial institutions need to know the beneficiaries of their client in order to protect their business from various risks, which can include the infiltration of illegal funds. By extending the steps of know your customer to all of your client's various connections, proper due diligence can be exercised and business reputation protected.^[36]

Electronic know your customer

Electronic know your customer (eKYC) involves the use of internet or digital means of identity verification.^[37] This may involve checking information provided is valid by using systems to validate ID and proof of address documents or by checking information against government databases such as the official passport database of a country.^[38]

In response to the digitalization of financial services, especially by neobanks and fintech platforms, the adoption of eKYC procedures has accelerated globally. eKYC systems often combine ID document verification, biometric authentication (e.g., facial recognition and liveness checks), and real-time risk monitoring to authenticate users. Some countries have implemented national guidelines or regulations around eKYC. For example, the Qatar Central Bank introduced a formal eKYC framework in 2023 aligned with its national fintech strategy, allowing digital onboarding of non-resident users with regulatory approval.^[39]

eKYC is also being explored in conjunction with digital identity wallets and verifiable credentials as part of broader digital identity initiatives in jurisdictions like the European Union under the eIDAS framework.^[40]

Laws by country

Different countries implement Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations through their respective financial intelligence units or regulatory authorities, aligning with international standards set by the Financial Action Task Force (FATF)

Australia: The Australian Transaction Reports and Analysis Centre (AUSTRAC), established in 1989, monitors financial transactions in Australia,^[41]^[42] and sets client identification requirements under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. Obligations and scope have been updated by the AML/CFT Amendment Act 2024 and new rules issued by AUSTRAC in 2025. Changes include more prescriptive CDD obligations, more emphasis on governance and oversight of AML programs, and an expansion of the scope to reach new sectors.^[43]
Canada: The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), established in 2000, is Canada's financial intelligence unit. It updated its regulations in June 2016 regarding acceptable methods to determine the identity of individual clients to ensure compliance with AML and KYC regulations. A pending lawsuit is active in Canada challenging the constitutionality of the new legislation.^[44]
European Union: The EU 4th AML directive came into effect in June 2016. Strengthening due-diligence, this legislation requires the beneficial owner of companies be held in a central register.^[45]

India: The Reserve Bank of India (RBI) first issued Know Your Customer (KYC) guidelines 2026 KYC social media^[46] for banks in 2002, establishing standardized procedures for customer identification and verification.

As of March 2026, a parliamentary panel in India has recommended making Know Your Customer (KYC) verification mandatory for social media users to combat fake accounts, online fraud, and malicious content. This initiative aims to increase accountability for users on platforms like Instagram, Facebook, and YouTube

Italy: The Banca d'Italia exercises regulation power for the financial industry, in 2007 set KYC requirements for financial institutions that operate on Italian territory.^[47]
Japan: Enacted the Act on Identification of Customers by Financial Institutions 2003^[48], requiring financial institutions to verify customer identity and maintain transaction records as part of the countries anti-money laundering framework.
Mexico: The "Federal Law for Prevention and Identification of Operations with Resources from Illicit Origin", promulgated in 2012 with president Felipe Calderon's administration and came into force in 2013 with the president Enrique Peña Nieto administration.^[49]
Namibia: Financial Intelligence Act, 2012 (Act No. 13 of 2012) published as Government Notice 299 in Gazette 5096 of 14 December 2012.^[50] It establishes customer identification, record keeping, and reporting obligations for financial institutions as part of the country's anti-money laundering and counter-terrorism financing regime.
New Zealand: Updated KYC laws were enacted in late 2009 and entered into force in 2010. KYC is mandatory for all registered banks and financial institutions (the latter has an extremely wide meaning).^[51] In 2017, the Anti-Money Laundering and Countering Financing of Terrorism Amendment Act was passed. This extended the coverage of the 2009 Act to cover more businesses and professions considered to be vulnerable to money laundering.
South Korea: Act on Reporting and Use of Certain Financial Transaction Information establishes customer due-diligence, record keeping, and reporting requirements for financial institutions as part of South Korea's anti-money laundering framework.^[52]
United Arab Emirates:The key guidelines overseeing KYC in the UAE are the Government Pronouncement Regulation No. (20) of 2018 On Anti Money Laundering and Battling the Supporting of Psychological warfare and Funding of Unlawful Bureau Choice No. (10) of 2019 Concerning the Carrying out Guideline of Pronouncement Regulation No.^{[citation needed]}
United Kingdom: The Money Laundering Regulations 2017^[53] are the underlying rules that govern KYC in the UK. Many UK businesses use the guidance provided by the European Joint Money Laundering Steering Group along with the Financial Conduct Authority's 'Financial Crime: A guide for firms' as an aid to compliance.^[54]